Hook wants to call my API: how to authorize it?

Hey everyone. I have an SPA that authenticates with an Auth0 SPA app and calls a (homemade) API that accepts the SPA’s tokens. Works great. It’s exactly like the “ExampleCo” timesheet scenario in https://auth0.com/docs/architecture-scenarios/spa-api

I want to add a hook to the SPA app, and that hook is going to need to call the same homemade API. Specifically, my API has its own User implementation, and I want to call something like POST /api/user whenever Auth0 creates a new user in the SPA app.

I’m trying this out and getting 401 (Unauthorized) failures in the hook testing window.

Note that this API is definitely accepting tokens directly from my SPA app. So I’m unclear on why a hook in my SPA app isn’t Authorized to call the API that is already known to accept tokens from my SPA app.

I realize that an M2M is recommended when you want to call an API from within a Hook, but… that would be from what to what under the circumstances? I’m confused by the need for any more complexity when I (should) already have the needed token.

Hi @catfood,

Welcome to the Community!

To clarify, you mean you created a hook in auth0? Like a post user registration hook?

If yes, then you would authenticate it with an M2M token. The hook acts as the client and your API as the resource.

Here is an explanation:

If you have questions please let me know!

1 Like

Yes, I created a post user registration hook in auth0. The thing I wasn’t getting (“more complexity”) is that hooks don’t belong to apps, they belong to the tenant. My hook doesn’t magically have access to the API just because they’re both defined in the same tenant. Okay.

I still feel like I’m writing a lot of code in my hook though. Do I have to go make a call to the /oauth/token endpoint and slog through all the parsing and error checking just to get the token that the M2M wants to give me? There has to be an easier way.

Yes, to get an up-to-date token you have to request it from the token endpoint.

If you don’t want to write a function to get the token, then I would recommend checking out this page, where you can select a node.js example and all you have to do is paste the code in your hook and fill in credentials and domain. Fairly straightforward.

It’s also completely up to your how you authenticate the call to your API. The ability to write your own code gives you that flexibility.

1 Like

Ah, that’s really clear now. Thanks, Dan! I was having trouble with the nomenclature that would help me find the best example.

1 Like

No problem! Let us know if you have any other questions. I am going to mark this resolved.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.