How to handle multiple IoT devices with centralized authentication and several APIs

Currently we are using Auth0 for centralized authentication to several APIs. Each user has app metadata that associates them to companies with different api/urls. The front end decodes the JWT to let the user know which APIs they are associated to.

We also have hundreds of hardware devices (IoT) that will be accessing this same APIs. Each device will be associated to only 1 api. One of the problems is sending which api/url a device is associated to.

This is the current approach I am working through:

  • Using client credential grant.
  • Get access token for machine to machine application (can this be linked to regular web application?)
  • Use hook to add url of api to access token.
  • The device can then decode the token and get the url. Requests can then be sent to correct api.

Does this approach possible? Does this need to have 1 machine to machine application for each api/url that I have?

Hi Matt,

Welcome to the community.

I think the answer depends on the use case: is the hundreds of IoT devices running the same application/code, e.g. a bunch of smart speakers; or running totally different applications, e.g. smart speakers, smart TVs, smart door bell and etc.
If it’s the latter case, one application for each IoT device makes sense; for the former case, it’s actually the same application running on different environments.

Another question is about the multiple API. Provided the multiple APIs are for different resources, you may consider using the RBAC feature?