I have been trying to set up Auth0 but I think I am going about it the wrong way.
Some background: I have an API which takes POST requests from users on some endpoint. The authentication expects an encrypted JWT in the Authorization HTTP header.
Right now the auth setup looks like:
- a client asks me for access to this API
- I create a user entity in our database for this client
- I generate a token for this user and provide it to them
- they add that token to all of their HTTP requests to the API
This is a pain to maintain, it doesn’t scale, and it is not very secure either so I’m looking to Auth0 for improvements.
I want to be able to:
- invite users to have access to my API
- the user should be able to use my API programmatically (e.g. the end user should be able to write a bash script/cronjob/curl command/postman request to hit my API - there will not be a login page)
It looks like the machine-to-machine workflow could be what I need, but I am not sure what the best way to set this up in Auth0 would be - the way the documentation is written implies that I would be the owner of the “machine” which will hit my API, but in my use-case the machine would not be controlled by me but rather by the end user.
How can I set this up? Or if what I am describing is not possible, what is the preferred way in Auth0 to provide external users with the ability to programmatically hit my API(s)?