Combining own api with Management API v2

Hi! I’m building a React-Native app (with Expo) and have a question regarding getting a token for multiple APIs (yes I read the docs :D).

I have my own api: https://api.mydomain.com/graphql with scope admin:grapqhl-api and I’m using the Auth0 Management API v2 (https://mytenant.eu.auth0.com/api/v2/ with scope update:current_user_metadata).

How can I create a ‘combined’ api so I can get 1 accessToken that is valid for both APIs?

I’ve created a third API: https://api.mydomain.com/mobile-user, added scopes admin:grapqhl-api and update:current_user_metadata but when I try to use the token this 3rd API returns to update user_metadata on the Management API, I get the error:

user_metadata Object {
  "error": "Unauthorized",
  "message": "Bad audience: https://api.mydomain.com/mobile-user https://mytenant.eu.auth0.com/userinfo",
  "statusCode": 401,
}

This makes sense, because mobile-user not /userinfo are the API I’m talking to which is /api/v2/.

My auth config:

Object {
  "additionalParameters": Object {
    "audience": "https://api.mydomain.com/mobile-user",
  },
  "clientId": "MYCLIENTID",
  "issuer": "https://mytenant.eu.auth0.com",
  "redirectUrl": "exp://127.0.0.1:19000/oauthredirect",
  "scopes": Array [
    "openid",
    "profile",
    "email",
    "offline_access",
    "update:current_user_metadata",
    "admin:graphql-api",
  ],
}

If I use audience https://mytenant.eu.auth0.com/api/v2/ I get a perfectly functioning token, but this would only be valid for the Management API v2 not my own API.

How to solve this? Thanks in advance!

P.S. The idea is to have one token that allows me to update user details using user_metadata but also use it to talk to my backend graphql api.

Or could I use the AccessToken I get for the Management API in my own custom API and just validate against the audience of the Management API?

Hi @aldegoeij, for accomplishing your scenario, you’ll need two access tokens. It can’t be done with a single access token. This is because multiple audiences are supported in Auth0 issued access token ONLY IF one of the audiences is the https://{{auth0-domain}}/userinfo API.

The second access token can be requested using Auth0 Silent Authentication.

Also, you can combine two or more custom APIs together as one logical API on Auth0, however, you cannot combine a custom API and the Auth0 Management API as one logical API.

Hi! Thanks for your response!

Clear! I was afraid already that Management API would be the exception :smiley:

Indeed I found that if I request for my custom API, I get the userinfo for free :slight_smile:

Could you share some more info on the ‘Silent Authentication’ option?

Or can I use (and validate) the Management API AccessToken on my backend as well?

Should I first request the Management API token, and then use the returned AccessToken to retrieve a second AccessToken for my custom API? Any tips / hints since I’m using React Native with WebBrowser auth? (Expo’s AppAuth)

Hi @aldegoeij, Silent Authentication means issuing a new Authorization Request with different (or same) parameters such that the user is not prompted to login because they already have an active session. For example, see this: https://auth0.com/docs/libraries/auth0-spa-js#get-access-token-with-no-interaction

Your first Authorization Request could be with audience http_s://my-custom-api where the user has to login interactively. Your second (silent) authorization request could be one with audience of management api (& current user scopes only).