Management Api - Questions for beginner

Hi,

I’m investigating Auth0 for use in a SPA (written in Blazor) with a webapi sitting underneath.

I’ve successfully used the management API to create a user, and can log in as that user with token being checked on both the SPA and the WebApi.

I have a few questions.

1. I can create a role and put that user in the role. However when that user logs in and gets authenticated, I want to check what role that user is in - that seems to be an extra API call. I can’t see the user’s role(s) on the getUser. Do I need to make extra calls like that every time? Or should I even be using auth0 roles as part of my application? Is it better to use auth0 just as an authentication mechanism and hold the concept of roles and permissions in my own database? Just trying to work out best practice.

2. I’m currently using the free subscription - I’m sure I saw a message in the portal saying that you get 1000 API Explorer application calls per month with that, and if you want more you need to upgrade to developer pro (at over $1000/month). Does that mean I can only make 1000 management api calls (to create, retrieve users, check roles etc) per month or is the API Explorer Application something different?

Thanks

Rich

Hey there Jack Basta!

Unfortunately don’t have experience with such stack myself but maybe some of those threads covering development with Blazor would be helpful!

Hi - my questions aren’t regarding Blazor specifically - I just put that there for full disclosure.

My questions are to do with the Management API.

Oh sorry I didn’t check that carefully! Let me go through it once more and message you in a few minutes!

1. I would say both of the approaches can be fine but I’ll go with our stack as there are simply methods or tools that will help you managed that, for example:

• Manage Role-Based Access Control Roles
• Manage Role-Based Access Control Roles

2. I need to check our pricing on that to be honest as I always struggle with that. Once I made the research I’ll get back to you!

Hi Konrad,

If I create a brand new NET 5 Blazor WASM project and follow this step by step, would it work? Or we need to wait for Auth0 new guidance to secure NET5?

Thanks, Carlos

Any news on the pricing? - if I need to pay over $1000/month for a subscription to make more than 1000 API calls per month, then using the outh0 api to fetch users and roles etc is going to be very costly.

It sounds a bit silly. I just need confirmation on what (if any) limits there are?

Thanks

Hey there Jack sorry for the delay!

I just checked our pricing and to be more specific you’re not paying for API calls precisely but for tokens issued. In terms of the API calls this doc is essential:

Ah ok - so let me see if I have this correct.

1. A user logs into the front end (the SPA), and requests an auth token from auth0.

2. They get given the token and then that token gets passed from the SPA to the Web API which also authenticates against auth0. It’s the same token? The user’s token? Or is there a different machine to machine token thats not linked to the user?

3. All API calls from the WebAPI to the auth0 Management API use this same token to make potentially many API calls to fetch users and roles, create changepassword tickets, fetch connections etc etc.

4.It’s only when the token expires that a new one is issued. Or if a different user logs in, they get a new token. It’s these tokens that count towards the 1000 limit?

Sorry for the newbie questions!

Jack