Hi there. I’m new to federated auth so pardon my ignorance.
My situation is like this: a SPA+API which I will call–as a whole–the App. This App is actually deployed/instanced per user (think Wordpress).
I thought I would get an access token from auth0 with the SPA (frontend/js). Then the SPA would send the API (server backend, nodejs) the access token for every request. The API would use its secret to validate the token with auth0, and if valid, would return a 200 response. Is this accurate?
As for getting a secret, it sounds like I will need to use auth0’s Management API to dynamically create… something (an app plus API? or just one?) for each deployment/instance. Is this the case? Or can I simply add to the callback URL whitelist for one app since they are instances of the same app?