Can I block an SPA application from accessing an API?


I’ve set up several APIs in my dashboard. Some of them are to be exposed in M2M flows only, and two of them to be accesses both by other APIs and the frontend, which is an SPA.

I’ve also one Application for each of the APIs that need access to another API, and an application for the SPA.

As for the M2M flows, I can manage which applications can access each API, and it’s working fine. However, my Frontend application can always access any API as long as it requests the correct authorities. As far as I know I can manage permissions only in a user basis, but I would like just to block the application from completely accessing an API.

Is there a reason for not being able to do so?

If an API is meant to be accesses by other APIs, how can I block a SPA application to access it from an Auth0 point of view?

Hi @Luso

Create an action (or rule) that fails the auth when the Client ID is your SPA, and the requested audience is the API you don’t want accessed.