Call API From Rule

Problem statement

We want to know how to call an API from a rule, such as updating a user or other functionality.


Rules run after every successful authentication. This is something to keep in mind when deciding how to sequence your rules, and whether you should do this on every authentication or conditionally. Long API calls will make authenticating take more time. It is recommended that more expensive rules (like an API call), are run last. For example, if you are going to return an unauthorized error if the user has not verified their email, do that before calling your API.

To do this, you need to configure your rule to make an API call. You can add Machine 2 Machine (M2M) authorization between your rule and your target API, just like you would between any two non-interactive clients, protecting the transaction with Auth0.

First, register your API.

This can be done via the Dashboard or the Management API. In the Dashboard, navigate to APIs+ Create API. Here you can set up your API, register your permissions, and manage your M2M applications.

Next, register an application for your rule.

Navigate to Applications+ Create Application → select M2M application. After creating the application, go to the APIs tab in the application settings and toggle the API just created to Authorized.

Finally, we need to create the rule.

Navigate to Rules+ Create Rule</> Empty Rule. Here you can request an access token designated for the API registered and then make whatever API call we need. After creating the rule, add your client ID and client secret to the global configuration object in the settings section.

Here is an example:

function (user, context, callback) {
  const axios = require('axios@0.19.2');

  //Request the access token
  const options = { method: 'POST',
    url: `https://${auth0.domain}/oauth/token`,
    headers: { 'content-type': 'application/json' },
    data: `{"client_id":"${configuration.RULE_APP_CLIENT_ID}","client_secret":"${configuration.RULE_APP_CLIENT_SECRET}","audience":"https://test-api","grant_type":"client_credentials"}` };

    .then( res => {
      const access_token =;
    	//Call your API
    .catch( err => {
  return callback(null, user, context);

Note: the above scripts use Axios 0.19.2, the latest version available in rules. Make sure to check what Node.js modules are available in rules. 311

Video Tutorial