Do I need to authenticate the user twice to access our own API and edit the name of the user from the same SPA?

The problem seems really simple: I’m developing an SPA as the frontend of our product. The app communicates most of the time with our API, so the audience of the ‘main’ access token is the URL of the API.
However, we would like to have a ‘profile’ page, where the user is able to add/edit profile information like phone number, name, etc. It would be nice if we could store this information in Auth0, as it’s already has a great profile structure that could handle all our needs.

Based on the documentation of the js lib, I need to explicitly add Auth0’s API as the audience, to get an access token with the privileges to edit the user info.

Since I can’t declare multiple auidances I see the following possible solutions:

  • Implement my own ‘user-profile-service’ on our API and use Auth0’s client ID as the foreign key.
  • Implement a proxy microservice on our API that authenticates the user with our audience and scopes and then uses an M2M client to update the info in Auth0. (This is basically the recommended solution)
  • Authenticate the user twice: First when they login to the SPA, second when they navigate to the profile page. Then keep two access tokens/two clients.

I don’t like any of these options: The first two fail from the developer perspective, the 3rd from the user perspective.


Hello! Welcome to our community.

We noticed that you are in the right path. The second option is the recommended solution since this is the best option from a user experience and from a security perspective. Why do you think that option does not suit you accordingly?



Well, honestly I just hoped that I could get away with auth and profile management just from the client-side. Even if this microservice/proxy is dead simple, it’s just one more thing that we need to build and maintain.

On the other hand, I can see the security reasons behind this decision, so… let’s build a proxy.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.