Auth0 Home Blog Docs

How to secure an API with Auth0


I am fairly new to Auth0, and I’m having a hell of a time figuring out how to implement Auth0 as our identity provider. Here is the simplest target architecture:

We have a REST API.

  1. We create an Auth0 User, and use the Username-Password connection to give that user a username and password that is stored on LastPass’s server. We send the user their credentials.

  2. A user sends a POST request to a /get-token/ endpoint, along with their username and password.

  3. The API reaches out to Auth0 with these credentials, and gets back a JWT, as well as some information about the user.

  4. The API returns the JWT to the user. Now, on subsequent requests to other API endpoints, the user can include the token with those requests, and the API can verify the token and use it to identify the user.

The step I’m struggling with is #3. I do not understand how Auth0 wants me to retrieve an access token on behalf of a user. Everything I can find wants me to redirect the user to the authorization page on Auth0, but I can’t redirect them to a URL when they are just interacting with me via Postman or a CLI or a library they wrote. What am I missing?


Hi there @fildred13, I’d be happy to help you get things setup. When you get a chance can you DM me your tenant name so I can take a deeper look at what may be going on. You mentioned you need some assistance on how to retrieve an access token which I have linked a doc below that dives into getting access tokens. If you could share a bit more details on your app stack I would love to help, Thanks!


What I had been missing was the “Password Grant Type,” which I finally got working. It was particularly difficult to figure out because during evaluation of Auth0 I had added the “Authorization Extension” and subsequently uninstalled that extension when I decided it wasn’t for us. Unfortunately, the uninstall process did not remove the auto-created Rules that extension had setup, so I was getting arcane errors about rules and extensions that I had long forgotten we had ever tried. Once I finally cleaned up all traces of the removed plugin, the instructions for setting up the Password Grant Type worked as expected.

1 Like

Fantastic @fildred13, I’m glad everything came together! Keep us post in the future as your implementation of Auth0 grows and share what you’ve built!

split this topic #6

9 posts were split to a new message: Possible phishing attack

closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.