Exclusively using Auth0's accessToken and calling an HTTP API?

First of all, thanks a lot for all the support. I’m very new to Auth0, although i’m already convinced that’s the best solution for our authentication issues.

I’m currently migrating an old application ( which already have users and profiles on MongoDB ) into a new application, since i already have user profiles and user / passwords, i’m not interested in the profile features from auth0, the only part of the application which i need to migrate to auth0 is authentication and then from that point on i should use solely my HTTP API.

The new application ( which i’m migrating the old userbase into ) is broken into two pieces.

  1. Next.js frontend, exclusively used to Server Side Render a React application, not API methods or connection to the database is done from this app
  2. HTTP API, which is a separate API which provides access to application data.

My current plan is use Auth0 to login my user on the frontend application, which will provide an endpoint for the user to retrieve his accessToken and once the user fetches the accessToken then the user shall always call the API passing the accessToken on the header of the http requests.

Is that the recommended solution or shall i actually authenticate the user on my HTTP API using the cookies provided by Auth0?

One thing that worries me about the cookies is that eventually we plan to release a headless version of our application, which i suspect would benefit from using accessToken as authentication method instead of using cookies? Is that a healthy assumption?

Once again, thanks a lot for all the support.

That’s the flow i’m thinking of:

  • User login’s on frontend app
  • User requests accessToken from frontend app ( or parse it from the callback url? )
  • User calls HTTP API sending accessToken on every request header

What i wonder here is: the access token will probably need to be renewed from time to time, so i wonder if i would have have to renew the access token manually on my frontend application?

Is there an alternative route, perhaps more efficient or more secure ?