How can I authorize a post-registration action to access a protected endpoint?

I have created a custom action for adding a user to my app’s database after they register via Auth0. That is currently working, with my app’s endpoint being called and the user being created.

However, I need to protect this endpoint in my app so that I only accept requests from the above action.

I am using a Next JS App and the API endpoint is part of the same app to which the user is registering. How can I authorize the post-registration action to have access to this protected endpoint?

For reference, this is the action and corresponding endpoint:

Custom action, triggered after user signs up

const axios = require("axios");

exports.onExecutePostUserRegistration = async (event, api) => {    
    await axios.post("<API URL>/api/users/new", { email: event.user.email });
};

Receiving Next JS API Endpoint that needs to be protected

I need to protect this endpoint so that it only accepts requests from the above action.

async function handler(req: NextApiRequest, res: NextApiResponse<Data>) {
  const email = req.body.email;

  if (!email) {
    res.status(400).send({ message: "Missing email parameter" });
    return;
  }

  const user = await createUser({
    email,
  });
  console.log("created user: ", user);
  res.status(200).send({ message: "user added", user });
}

Any tips or suggestions are appreciated!

I’m trying to do the same, did you find anything?

Hi @jpw

I missed this the first time around. You can use the Client Credentials Grant (also known as Machine to Machine or M2M) to do this.

Set up an API in Auth0, and create an M2M application to use it. Then use Client Credentials grant in your rule, hook, or action to get the access token. Be sure to cache it to avoid high costs.

John

1 Like

Thanks for the reply, I was reading that you can’t cache tokens in an action, has that changed and is there a guide for that?

Hi @jpw

Use a rule instead of actions, you can cache there.

John

1 Like

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!