Generate customer's tokens for backend API

Hi there. What I have:

  • SPA
  • Backend with API
  • Customers (i.e. users)
  • Organizations (user might be in several organizations at the same time)

What I want:

  • Implement some public API at my backend
  • User want to have their own token to request my backend public API without my SPA (for example, user wants to make cron script)
  • This token should be on Organization level (not for user, i.e. user with such privilege releases token for organization)
  • This token should contain organization ID (my backend has to route this request into right organization)

What I don’t understand:

  • All things :upside_down_face: (just a joke)
  • How to create token? I found docs Get refresh tokens how to build similar system, but there no options. Does Auth0 support only this flow?
  • What should I do if I want to use only one token (like access_token) for all time, without refreshing?
  • May I release token without user’s request to auth0’s /authorize handler?
  • Should I create any Auth0 Application for that case? Which one (Regular app, M2M, …)?

Hope, I was understandable :smiley:

1 Like

Hi @naf,

Welcome to the Auth0 Community!

It sounds like you are describing First-Party and Third-Party Applications. Auth0 supports registering Third Party Applications, which would allow your customers/developers the ability to request their own tokens for use with your API.

I’ll try to answer a few of your questions too:

It sounds like you are describing an API key, which is something we don’t support. All access tokens have an expiration, and you will need a refresh token to create a session that doesn’t expire.

The doc I linked has some information about how to set this up, but feel free to let me know if you have any questions.