How can users programmatically log in to API?

I have been trying to set up Auth0 but I think I am going about it the wrong way.

Some background: I have an API which takes POST requests from users on some endpoint. The authentication expects an encrypted JWT in the Authorization HTTP header.

Right now the auth setup looks like:

  • a client asks me for access to this API
  • I create a user entity in our database for this client
  • I generate a token for this user and provide it to them
  • they add that token to all of their HTTP requests to the API

This is a pain to maintain, it doesn’t scale, and it is not very secure either so I’m looking to Auth0 for improvements.

I want to be able to:

  • invite users to have access to my API
  • the user should be able to use my API programmatically (e.g. the end user should be able to write a bash script/cronjob/curl command/postman request to hit my API - there will not be a login page)

It looks like the machine-to-machine workflow could be what I need, but I am not sure what the best way to set this up in Auth0 would be - the way the documentation is written implies that I would be the owner of the “machine” which will hit my API, but in my use-case the machine would not be controlled by me but rather by the end user.

How can I set this up? Or if what I am describing is not possible, what is the preferred way in Auth0 to provide external users with the ability to programmatically hit my API(s)?

Hi @epechuzal

Probably M2M/Client Credentials is what you need. There’d be some customer setup (so that they get their client secret) and then they use client credentials whenever they need an access token.

However, depending on your needs, a 3rd party app might be better, if your customers are performing actions on behalf of a user (via your API).


1 Like

Thank you @john.gateley !

When you say “3rd party app”, what do you mean?

If I end up creating machine-to-machine apps for each client who requests one, how would this be billed by Auth0? Do I pay per M2M application? or per M2M token that gets requested and generated?