How can I authorize a post-registration action to access a protected endpoint?

I have created a custom action for adding a user to my app’s database after they register via Auth0. That is currently working, with my app’s endpoint being called and the user being created.

However, I need to protect this endpoint in my app so that I only accept requests from the above action.

I am using a Next JS App and the API endpoint is part of the same app to which the user is registering. How can I authorize the post-registration action to have access to this protected endpoint?

For reference, this is the action and corresponding endpoint:

Custom action, triggered after user signs up

const axios = require("axios");

exports.onExecutePostUserRegistration = async (event, api) => {    
    await"<API URL>/api/users/new", { email: });

Receiving Next JS API Endpoint that needs to be protected

I need to protect this endpoint so that it only accepts requests from the above action.

async function handler(req: NextApiRequest, res: NextApiResponse<Data>) {
  const email =;

  if (!email) {
    res.status(400).send({ message: "Missing email parameter" });

  const user = await createUser({
  console.log("created user: ", user);
  res.status(200).send({ message: "user added", user });

Any tips or suggestions are appreciated!

I’m trying to do the same, did you find anything?

Hi @jpw

I missed this the first time around. You can use the Client Credentials Grant (also known as Machine to Machine or M2M) to do this.

Set up an API in Auth0, and create an M2M application to use it. Then use Client Credentials grant in your rule, hook, or action to get the access token. Be sure to cache it to avoid high costs.


Thanks for the reply, I was reading that you can’t cache tokens in an action, has that changed and is there a guide for that?

Hi @jpw

Use a rule instead of actions, you can cache there.