Hi,
Currently, we use a Next.js application as a standard web application with our API, both integrated with Auth0. Everything works correctly, but I have a few questions.
First of all, we need to obtain an access token for our API on the client side because we need to authenticate to the websocket. Additionally, we require an access token for calling the API outside of our web application, which is written in Next.js. As we currently employ the Authorization Code Flow, I believe that obtaining the access token and exposing it on the client side (browser) is not the best practice. I have implemented a refresh token, and the access token is valid only for 24 hours, but I still believe that there is a better solution.
An ideal solution from our perspective would be to generate a “one-time” token with the correct permissions for particular resources, and once the token is used, it would no longer be valid. Is such a possibility available in Auth0, or would you recommend another solution for us?
Thanks!