Our SPA uses Auth0 to authenticate users and retrieve a token to access our backend nodejs API server. We use auth0 rules to perform some pre-login checks and populate permissions.
We would like to call our API from the auth0 rules as part of the login process. This enables the rules to populate some permissions and hold them in app_metadata, so the API doesn’t have to check the database every time the user logs in.
Is there a recommended access pattern to create an access token to call APIs from auth0 rules (assuming these API’s already accept user tokens from auth0)? Ideally auth0 would be able to generate a signed token that we can attach to requests to the API.
In another community question, they were using jwt.sign to create tokens within a rule. However, they were messing about with specific library versions and had some reliability issues, so I wasn’t sure how supported their approach was. Does this look like the correct thing to do?:
var jwt = require(‘firstname.lastname@example.org’);
var request = require(‘email@example.com’);
var userInfoToken = jwt.sign(
iat: Math.floor(Date.now() / 1000) - 2
issuer: ‘https://’ + context.request.hostname + ‘/’