Building a public facing API with Auth0

I need to expand my backend API to accommodate public API endpoints that our clients can connect to.

For internal endpoints, we’re already using Auth0 to verify the validity of the access token.

For our public API endpoints, we’re considering supporting API keys, as they’re widely used (for instance, in the Stripe API).

From what I’ve gathered, it appears that Auth0 doesn’t support API key mechanisms, and instead, they recommend using OAuth 2.0:

  1. Create Machine-to-Machine (M2M) clients in Auth0 for each customer (using the management API)
  2. Provide customers with their client credentials
  3. Allow them to manage the grant

However, I’m finding it difficult to grasp how this would operate. Does this imply that I need to instruct our clients to:

  1. Send their credentials to our Auth0 /authorize endpoint to obtain an access token, and handle the logic on their end
  2. Use the token to access our API

This seems quite complex from a user experience perspective. I’m wondering if there are more straightforward alternatives for them, offering a similar level of simplicity as API Keys.

Could we request them to directly send their Client ID & Client Secret in the basic auth header of their API requests to our public endpoints? Then, we could have a middleware that calls /authorize to get an access token, which is then injected into the request headers, followed by the use of the JWT verify middleware.


You are on the right track.

If you just want to use API Keys, you would not need Auth0. However, I recommend storing the API Keys in a vault and rotating those API keys periodically.

If you would like to use something like Client Credentials Flow, you would have to call authorize endpoint with the client credential. If you would like to use a middleware to call the authorize endpoint adjust the audience value in your api (access_token) accordingly. I also recommend using Refresh Tokens to lower your Quota Utilizations Limits.

Hope this helps. :slight_smile:

1 Like