Best way to give API access

Hi, I am an auth0 newbie. I am sure there must be a way to do what I am wanting to do, but after much studying I’m struggling to find something that fits the bill. My use case requires that a user be able to read their own data from a couple of endpoints from their own web app. Their app should not require them to authenticate in order to see the data. So, basically the user needs to be able to login to our trusted app and generate a token that they can store on their server in order to read their data on those two endpoints. What is the best approach for this? Sorry if this is a silly question, but I’ve been going in circles for days.

Hi @klientdevs,

Welcome to the Auth0 Community!

Can you expand on what you mean here? Could you give an example? It sounds like you are looking for something like a developer API key, but I’m not sure.

Yeah @dan.woda , I think we are on the same page. Basically, the user builds a web app that displays some data from our APIs. I need a way to ensure that their app and not someone else’s is accessing their data from the API, but I don’t want to specifically require that the developer authenticate themselves every time they get the data- I just want to verify the request is coming from their app. Does that help? Sorry if it’s still not clear.

@dan.woda An example might be an API for a blogging platform like Medium that allows me as a developer to create my own interface for viewing my blogs while still using their backend to store them. The data is meant to be public, so noone should need to login to see it, but there has to be a way to ensure that any given developer can only GET and display their own blogs and not someone else’s.

Perfect, thanks for the additional context.

These types of applications are considered Third Party Applications.

You can create these types of applications via the management API, and provide the third-party developer with a set of client keys to use for authentication.

If they are accessing this API from a secure backend, in a user-less transaction; they will want to use the client credentials grant.