I am providing an API consisting of a simple GET request to a customer (in .NET Core). They need to be authenticated. I am using Auth0 to authenticate and authorize but is it appropriate to ask the customer to make the first call using my client id and client secret to retrieve the token himself or should I expose another request for him? Is there a standard approach?
Good morning @chocolatecram and welcome to the Auth0 Community!
I apologize for the delay in response… Personally I don’t think it’s ideal to have them make the first api call after handing over your client id and client secret. Is there a reason you were taking this route specifically? We have documentation on how the tokens are handled at Auth0 that may be of some help in your quest. Thanks!
I agree…as yet I don’t know how they plan on accessing the API. Ideally, I would like to provide them with a username and password so they can log in, and then call the API once they have been authenticated. Thanks…
After talking with another engineer the first method may be actually preferred for this use case. Provide the client id and client secret and set them up for retrieving an access token. Please let me know if you have any questions.