Limit API to requests from SPA

Dear fellow Auth0nians,

I need parts of my API the be open to my SPA from the browser without the user logging in, but not the outside world. In other words I need to authorize/authenticate the client SPA to API endpoints, even when a user is not logged in. Once the user is logged in they can obviously do more stuff (call users API, POST, DELETE, etc.).

Is this in the scope of OAuth? Or do I have any options outside of rate throttling the API?

Hi Dragon,

Forgive me if I’m missing the point but it seems like you’d be able to do this simply by limiting the allowed origins in your API to the deployed link for your app. Please disregard if I’m not fully appreciating the scope of your question.

Thanks and good luck, mate!


Hi dragon,

When you say “I need to authorie/authenticate the client SPA to API endpoints”, this sounds like Client Credentials/Machine To Machine to me.

Unfortunately, you can’t do this with a SPA. There’s no way to keep the client secret secure in this scenario.

Can you explain why you need to do this?


i dont think therer is any other option

Hey there @dragon!

Have you had a chance to see @john.gateley message?