Hi, I need some help wrapping my brain around the right approach to granting users, native apps, and machine 2 machine apps access to my Nextjs API endpoint.
To give you context, this is my stack:
- I’m buildng a Next.js monolith app with a GraphQL API endpoint (
/api/graphql) - The app leverages
@auth0/nextjs-auth0for everything on the website frontend. - Every API call provides the user session via
getSession(req, res) - All of this lives on
https://myapp.com
This all works great. But now I have 3rd-party native apps, CLI apps, and more that want to access the same /api/graphql endpoint that require an authenticated user.
I’ve read through the docs quite a bit and if I understand correctly, the general approach should be:
- Create a new API app with the audience
https://myapp.com - For each app, create a new application. Let’s say I’m building an Apple TV app that requires a device auth flow.
- On Apple TV set up a flow to tell the user to enter a code. Similar to this device flow playground. The
Client IDhere should be the ID of my “apple tv” app and audience ishttps://myapp.com(right?) - The user signs in and confirms while the app polls for status. On success, it receives a JWT.
- I should be able to pass the JWT to
https://myapp.com/api/graphqland the user will be authenticated.
That last step is where I’m confused. Does getSession() from nextjs-auth0 also check for bearer tokens that are passed in and sign in the user? Or do I have to implement my own JWT check? I havent been able to get this step to work.
And then my last question… what if users on my monolith Nextjs platform want to create their own apps that use my API? e.g. What if someone wants to make a Discord bot to use the API? How do I go about granting them unique client IDs & secrets in a scalable, automated way? Do I have to make new “global” auth0 app and build my own dev app system or is there a way to dynamically create apps in Auth0?