Hi, I’m having trouble understanding what flow to use to authenticate my SPA with my API (on AWS Gateway). I see the Authorization Code Grant with PKCE is recommended for SPA but requires a user login. So I can use this to call API’s that require user authentication/roles, but what about just ensuring only my SPA can access my API for general API calls that don’t require a user (e.g. guest access). The Client Credentials flow seems only for backend apps, the Auth0 Single Page App SDK seems only to implement Authorization Code Grant with PKCE that requires user login, Implicit Flow also requires a login so I’m a bit stuck. Is this scenario not something to be handled by Auth0 and I need to look at other methods, e.g. using AWS API Gateway api-key and check the referrer/origin domain (my SPA)?
@dtl,
Welcome to the Auth0 Community Forum!
There is not really any solution for this. Due to the nature of public clients, any global API key or secret that is sent with the application is inspectable by any user who can access the SPA. They can get the key/secret and use the API like they were the SPA. You can obfuscate it to make it more difficult for an average user, but a public client with no unique credential (like a username/password) is going to be able to be inspected.
Do you have a specific concern about securing information in an API that is freely available via a SPA?
Thanks, that’s the conclusion I’ve come to. My concern was more about managing load and costs rather than data concerns, although if plans work out it might be something worth protecting 
I’ll look at using referrer/origin, possibly IP restrictions instead as a way to limit access.
@dtl,
That sounds like a great plan! We would love to know what strategies you end up going with if you have time to post about it. It is a topic I have seen brought up here before.
Good luck!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.