Flow for SPA to API and API to API

trondhindenes · May 12, 2017, 12:39am

We have a bunch of administrative apis where we’re using Aurelia and Lock on the frontend to access them, and this works really well. The problem is that we’d also like to script against the same api using a multitude of scripting tools (these will be both interactive and non-interactive (eg api-to-api).

While could sorta get away with our current lock-based solution in interactive mode by having the user first grab his/her access token from an authenticated (SPA) session, this wouldn’t work in an api-to-api setting.

As far as I can see from the docs, the recommended way by auth0 is to create a separate auth0 client for each api that needs access to my “backend api”, but this solution seems fairly dreadful in terms of management - we’d end up with who knows how many clients.

Am I missing something, or is this the recommended (and only?) approach? I guess I’d really like to be able to create named users representing my “client apis” and somehow store api keys for each user instead - but from what I’ve seen that’s not currently an option with Auth0.

I’d appreciate if someone could confirm my assumptions.

trondhindenes · May 12, 2017, 12:45am

So after writing this I come across the new “api” section in the management thingy. Will study there and then update/resolve the question.

jmangelo · May 17, 2017, 4:17pm

@trond did the docs clarify your situation or are you still looking for additional guidance?

trond.hindenes · May 19, 2017, 11:57pm

@jmangelo definetely, this is a very nice improvement. I guess I’d still like some way to separate an “api client” from a “client app”, but this is a definite improvement anyways. Thanks for reaching out!

jmangelo · May 24, 2017, 5:42pm

As you come across in the documentation the recommendation is indeed to have a specific (non-interactive) client application to represent the API to API calls.

In relation to your comment about having a separation between API clients and normal client applications there’s some separation although the separation is not reflected in the Dashboard in terms of different screen. When you create an API client you should be setting its client type as Non Interactive so there’s is indeed some level of separation (based on the client type).