Mobile App to Secure API to Website endpoint


Here is our scenario. We have a mobile app (setup as native in Auth0) that does it’s login through the app via Auth0. That mobile app then calls an API using the “Execute an Authorization Code Grant Flow with PKCE” found at Call Your API Using the Authorization Code Flow with PKCE. The API is setup in Auth0 under APIs and the mobile app is successfully generating and passing an access_token.

The next step is the API needs to connect to a website endpoint (protected by the same Auth0 as the mobile app) as the user logged into the mobile app. So far I have been unable to make this work and am not sure how to proceed. At present it keeps redirecting me to the Auth0 login page. I’m unsure how to “authenticate” to Auth0 that the user is already logged in from the mobile app and we can hit the website endpoint with an SSO-like flow. Does anyone have any direction on how the API would interact with the website? I’ve passed the access_token, but that doesn’t appear to be working unless I need to do something else as well.


Exploring further, I have tried passing a valid access_token to the authorize URL with prompt=none (ie doing a silent authentication), but I get a response of “Login Required”, so Auth0 is not recognizing the mobile app login, or not associating the API access_token to the login session of the user in the mobile app. Reading through Configure Silent Authentication, I assume it’s because SSO is only for browsers where an SSO cookie can be placed and read by Auth0, not possible from an API.