Can you create single use / short live token with Auth0?

Hi,

Currently, we use a Next.js application as a standard web application with our API, both integrated with Auth0. Everything works correctly, but I have a few questions.

First of all, we need to obtain an access token for our API on the client side because we need to authenticate to the websocket. Additionally, we require an access token for calling the API outside of our web application, which is written in Next.js. As we currently employ the Authorization Code Flow, I believe that obtaining the access token and exposing it on the client side (browser) is not the best practice. I have implemented a refresh token, and the access token is valid only for 24 hours, but I still believe that there is a better solution.

An ideal solution from our perspective would be to generate a “one-time” token with the correct permissions for particular resources, and once the token is used, it would no longer be valid. Is such a possibility available in Auth0, or would you recommend another solution for us?

Thanks!

Hey there @patrikbraborec welcome to the community!

Have you considered just adding a custom claim to the token(s) as a sort of one-time use flag? You’d need to implement some logic to check for this of course. Auth0 doesn’t support this approach OOB so to speak, but there are certainly ways you could go about it.

Thank you very much for your reply and advice!

We need one access token that we use for API calls from Next.js server components / APIs. It is completely okay for us to have an access token with a 24-hour expiry along with a refresh token. If I understand your proposal correctly, for use cases where we need an access token on client side (browser), we would create a new access token with custom claims. Is it possible to have these two tokens work together simultaneously?

Thanks!