I need to expand my backend API to accommodate public API endpoints that our clients can connect to.
For internal endpoints, we’re already using Auth0 to verify the validity of the access token.
For our public API endpoints, we’re considering supporting API keys, as they’re widely used (for instance, in the Stripe API).
From what I’ve gathered, it appears that Auth0 doesn’t support API key mechanisms, and instead, they recommend using OAuth 2.0:
- Create Machine-to-Machine (M2M) clients in Auth0 for each customer (using the management API)
- Provide customers with their client credentials
- Allow them to manage the grant
However, I’m finding it difficult to grasp how this would operate. Does this imply that I need to instruct our clients to:
- Send their credentials to our Auth0 /authorize endpoint to obtain an access token, and handle the logic on their end
- Use the token to access our API
This seems quite complex from a user experience perspective. I’m wondering if there are more straightforward alternatives for them, offering a similar level of simplicity as API Keys.
Could we request them to directly send their Client ID & Client Secret in the basic auth header of their API requests to our public endpoints? Then, we could have a middleware that calls /authorize to get an access token, which is then injected into the request headers, followed by the use of the JWT verify middleware.
Thanks!
