How to secure API endpoints?

wurkzen · October 13, 2022, 5:19pm

Hi all,
Our app is using Auth0.
Currently we created the users during the signup user and create the user in Auth0.
The issue is that when signing in, the token that is provided can access EVERYTHING in our api.

We have built out our API route to start with: /v1/client/{id}
after the client_id we obviously have all of our endpoints /customers /locations /orders etc

We need the token that is generated to ONLY have access to the client_id of the user requesting so if they belong to client_id 2 they could access /v1/client/2/customers and NOT /v1/client/5/customers specifically on the GET endpoints.

What is the best way to do this?

tyf · October 28, 2022, 1:25am

Hello @wurkzen welcome back to the community, and apologize for the delayed response!

This sounds like a fairly standard use cases for permissions/scopes in general - Perhaps even RBAC if you have groups of users that should be able to access specific resources and not others. Here are some resources that should give you some ideas:

Hope this helps!

system · December 22, 2022, 12:29am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Application authorization vs User authentication Help dashboard , ui-ux-dashboard	0	1510	November 10, 2022
First party SPA using connectors and talking with a first party API Help	8	3489	August 29, 2019
How to secure an API with Auth0 Help access-token	5	10541	February 10, 2019
How to implement API keys using Auth0? Help auth0 , architecture , api-keys	11	32421	March 2, 2018
SPA and API scenario - restrict API access Help apis , application	2	1743	February 17, 2023

How to secure API endpoints?

Related Topics