Hi all,
Our app is using Auth0.
Currently we created the users during the signup user and create the user in Auth0.
The issue is that when signing in, the token that is provided can access EVERYTHING in our api.
We have built out our API route to start with: /v1/client/{id}
after the client_id we obviously have all of our endpoints /customers /locations /orders etc
We need the token that is generated to ONLY have access to the client_id of the user requesting so if they belong to client_id 2 they could access /v1/client/2/customers and NOT /v1/client/5/customers specifically on the GET endpoints.
Hello @wurkzen welcome back to the community, and apologize for the delayed response!
This sounds like a fairly standard use cases for permissions/scopes in general - Perhaps even RBAC if you have groups of users that should be able to access specific resources and not others. Here are some resources that should give you some ideas: