Best way to limit APIs per Application

I want to limit my audiences per client when going through code flow.

Right now I have multiple applications as well as multiple client. When I go through code flow I can include any API as an audience for my access token.

What I want to do is I want to limit my Application to have only be able to ask for one audience, so that when I go through code flow I will get unauthorized or bad request when I request wrong audience for that Application

We are fairly new to Auth0 provider and perhaps I am missing a setting somewhere.

(Audience is an API in dash board).

Hi @kkulakou,

Welcome to the Auth0 Community!

I understand that you are looking to limit API access for your applications.

To do so, you will have to navigate to your API settings on your tenant dashboard settings and click on the Machine to Machine Application tab.

On that page, you have the option to enable the applications you would like to grant API access. See below.

Once that is complete, the application can get an access token for the corresponding APIs and an unauthorized error otherwise.

Please do not hesitate to reach out if you have additional questions.

Thank you.

1 Like

Thank you for your suggestion. I am a little bit confused by this UI. This says Machine to Machine Application. In my case I will be going through code flow and not client_credentials.

It might that my explanation was a little bit off. I am going through grant flow and requesting tokens from specific application, also with request URL I pass autdience parameter. Audience is my APIs, so what I want to do is limit audience per applicatoin in code flow.

Thanks you!

Hi @kkulakou,

I understand your confusion, and it is good feedback. For now, this is the way to enable API access to your Machine-to-Machine and Regular Web Applications. Single Page Applications and Native Apps are excluded from this list since they do not require additional configuration.

Note that granting API access through this interface is separate from the grant type flows such as code or client_credentials as you described.

In this case, granting your regular web app API access will still allow you to call the API using the authorization code flow. In the request, you can specify the API identifier in the audience parameter.

And to reiterate, regular web applications will only receive an unauthorized error when trying to authorize with an API that they do not have access to.

Hoped this helps!

Please let me know if you have any further questions.

Thank you.

1 Like

Thank you. Will take a look and try, and accept this as an answer if works as appropriate.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.