Multiple protected api

Hello, I have a question about protected apis.

Let’s say I am going to use two api.

One is https://www.test.com/warehouses(I will call this A).
Another one is https://www.authentication.com/login (I will call this B)

I will use custom database and a user will be validated from B.
if login is success, my react app will get a token from auth0.
With the token, I can access any other endpoint in B such as https://www.authentication.com/products,
https://www.authentication.com/drivers because I will make https://www.authentication.com/ as protected api by auth0.

I also need to use the token in A as well so that only user authenticated from auth0 should have access to the resource in A.

In this case, Do I have to create two protected api? if so, is there any way to add multiple audience to Auth0 Provider in react app?

<Auth0Provider
  domain="dev-1j7fu4lg.us.auth0.com"
  audience=""
  clientId=""
  redirectUri=""
  prompt=""
  scope=""
>

Please let me know if my question is unclear.

Hi @hyun.park,

You can register the two APIs separately in Auth0, and use the test.com and authentication.com as separate identifiers (audiences).

If you take this approach, you will need to request a separate token for each API. Assuming you are using the Auth0 React SDK, you would request the token with getAccessTokenSilently and pass the audience directly with this request. Like this:

getAccessTokenSilently({audience:'https://test.com/'})
1 Like

Thank you for the answer!

I have one more question. In my server, I need to validate the token which came from my react app right?

I will use django for server, is there any helpful reference how I implement the validation logic?

Yes! Check this out for Django: Auth0 Django API SDK Quickstarts: Authorization

1 Like

Hello dan,

I have encountered an issue while I am following your guide.

I could only get a token

when I passed audience parameter with certain api endpoint.

I will explain what I have done for better understanding.

I created two protected api

  1. test.com
  2. authorization.com

next, in my react app

I passed audience parameter to auth0 provider

<Auth0Provider
  audience="authorization.com"
  />

(I also passed required parameters)

in this case, I was able to get token for authorization.com with this

getAccessTokenSilently({ audience: “authorization.com” })

However, I wasn’t able to get token for test.com

do you have an idea for this?

and I have one more question, is there any way to get secret key from the access token?

I think I have to explain what I am trying to achieve.

Now I have one server that has many apis and it is currently live. Many customer are using it.

The server itself generates a token and has a validation logic.

Our company now is trying to separate server from existing server for login and validation. In the future,

Our users are going to login to new server where auth0 is going to be implemented.

Existing server(django), new server(django), application(react)

Now that users are going to get auth0 token, I want to use the token to our existing

server as well. I want to use only one token for new server and existing server. Have you ever

experienced this situation? and how do you solve this issue?

Let me know if there is unclear part.

If you control both of these servers you should be able to set them to verify whatever audience you’d like. I’m still not 100% sure I understand your architecture though.

As for getting a token with test.com as the audience, this should just require sending it with the request to getAccessTokenSilently. It looks like you are still sending the authorization.com audience.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.