How to access Next.js API endpoint with JWT

Hi, I need some help wrapping my brain around the right approach to granting users, native apps, and machine 2 machine apps access to my Nextjs API endpoint.

To give you context, this is my stack:

  • I’m buildng a Next.js monolith app with a GraphQL API endpoint (/api/graphql)
  • The app leverages @auth0/nextjs-auth0 for everything on the website frontend.
  • Every API call provides the user session via getSession(req, res)
  • All of this lives on https://myapp.com

This all works great. But now I have 3rd-party native apps, CLI apps, and more that want to access the same /api/graphql endpoint that require an authenticated user.

I’ve read through the docs quite a bit and if I understand correctly, the general approach should be:

  • Create a new API app with the audience https://myapp.com
  • For each app, create a new application. Let’s say I’m building an Apple TV app that requires a device auth flow.
  • On Apple TV set up a flow to tell the user to enter a code. Similar to this device flow playground. The Client ID here should be the ID of my “apple tv” app and audience is https://myapp.com (right?)
  • The user signs in and confirms while the app polls for status. On success, it receives a JWT.
  • I should be able to pass the JWT to https://myapp.com/api/graphql and the user will be authenticated.

That last step is where I’m confused. Does getSession() from nextjs-auth0 also check for bearer tokens that are passed in and sign in the user? Or do I have to implement my own JWT check? I havent been able to get this step to work.

And then my last question… what if users on my monolith Nextjs platform want to create their own apps that use my API? e.g. What if someone wants to make a Discord bot to use the API? How do I go about granting them unique client IDs & secrets in a scalable, automated way? Do I have to make new “global” auth0 app and build my own dev app system or is there a way to dynamically create apps in Auth0?

Hi @CPU,

Apologies for the delayed response.

From what I could find in some of the documentation; requests to the next JS routes are protected with session cookies, not JWT authentication.

I don’t see a way to set up a JWT authentication endpoint with the next js SDK. This means you would want to find another way to authenticate JWTs. The good news is this: there are lots of libraries to do this, including Auth0 Libraries.

Also, I can confirm your general approach is correct. You would want to add a new client/application for each app and request

It’s possible to dynamically create third-party applications with Auth0, but there are some missing pieces that you would be required to build. It’s not nearly as straightforward as adding Login/User Authentication.