Since SPAs can’t be trusted i want to reduce the access token lifetime from 24h to 10m, but if i set this in the api my M2M access tokens (a very trustworthy place) get also reduced to 10m.
I could just create two APIs, but both applications make requests to the same endpoint and you can’t create APIs with a duplicate audience…
Is there something i am missing?
Hey there @semas welcome to the community!
Typically, a SPA access token won’t be requested with an audience of the Management API as they are quite limited in scope. Rather the SPA will request access tokens against the API registered in Auth0 to represent your API/Backend. Management API access tokens on the other hand should be requested/handled by your backend. Essentially your SPA will request access tokens to represent user authorization whereas your backend will request access tokens to use against the Management API specifically where no user interaction is required (m2m).
Hope this helps to clarify!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.