Changing scope of token or need something like AD on behalf flow

I have requirement where I am getting one token from the Authorization Server - Auth 0 which is used to authenticate both the api and the device

image

If my device get compromised then with the token the attacker can invoke the api .
Is there anyway I can restrict the token to only access the device or only access the api .
I want Auth 0 to issue a token specific to api and token specific to device.
Is there any feature that can help here ?

Hi @rsrinivasanhome,

Welcome to the Auth0 Community and sorry for the late reply.

You can restrict a token to be used only for specific resource such as your API or device by specifying different audiences. For that you can create two APIs in your Auth0 Dashboard, one for your backend API and one for your device service, then make different requests to the oath/token endpoint.

Additionally you can also check into configuring a logical API. For that you can look into this documentation or this Knowledge Article.

Hope this helped.
Thanks,
Remus

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.