Hi, I need the ability to allow third-party services to authenticate into my api on behalf of a user. There are many API’s out there that allow this, such as GitHub and Azure. They use the concept of an API key associated with a user’s account.
There are many posts in the Auth0 forums requesting this capability but I’m not sure if anyone has really found a solution.
There has been the occasional suggestion of using the refresh_token but this is a very different concept.
The use case i need a solution for is…
- User logs into my website using Auth0 lock screen
- User requests an API key (preferrably able to declare scopes for key aswell) from my website’s admin screen
- User Gives API key to a TRUSTED third-party service
- Third-party service uses API Key to make request to my API
- My API validates API Key. I’m thinking it would receive a bearer token in exchange for the API Key.
- There must also be ability for user to revoke API Key.
Does anyone know how I would achieve this use case with Auth0? It seems like such a common use case which is why I feel I must be missing something obvious with Auth0. Unfortunately, like many other people on these forums, this capability is a mandatory requirement for my solution, so if it cannot be done it would eliminate Auth0 as an option for my project.