Best way to securely pass user app_metadata to api to query user specific data

I’m new to auth0, so I’ll be as detailed as possible, becuase I want to find the best solution to achieve my goal.

I have a React client and a Node.js api that I have authenticated with these steps:

Now that I have this in place I would like to take user specific app_metadata, once the user is authenticated on the client, send this with the http request to the API, and retrieve information for the specific authenticated user.

For example, the user has app_metadata "host": "0.0.0.0:8000". I would like to securely send this to the API so that the user can only query information from their host "host": "0.0.0.0:8000", and not some other host like, "host": "0.0.0.0:1234".

This seems like it would be easy to achieve, but I’ve found it difficult to sort through all of the capabilities.

To be more clear, I’m able to retrieve the app_metadata on the client through this rule: https://auth0.com/docs/rules/references/samples#copy-user-metadata-to-id-token

So receiving host metadata in not an issue. The issue is that I’m affraid any user could take their authorization and query the api for a host that is not theirs.

Hi @schoenbl, welcome to Auth0 community.

Based on the quickstart URLs you provided, I assume you already populate the app_metadata value in your access token, receive it from the React app, and send this to the backend from the React app. Note that you should be using the access token here, not the ID token.

The Node.js API validates the signatures of the access tokens it receives. This means if a user meddles with the token, the backend will not accept it. Only Auth0 is able to generate a token with a valid signature.

Does that answer your concern?

Yes, this helps.

My only other question is, how does the client get associated with the API? I don’t think I specified this at any point.

Is it just through the audience that is given on the client when the token is generated?

The token is generated based on the audience parameter.

You do not need to associate the client with the API. If the “Allow Skipping User Consent” toggle is turned off, the user will receive a consent screen saying that the particular client is requesting access to the API. But usually this toggle can be turned off unless it’s a third-party app.