Auth0 Home Blog Docs

Need to prove auth status to an api

api

#1

I have a custom REST API that takes in user/password and I see how I can use a custom database connection to integrate that into Auth0. I also see the SDK the would allow my mobile app to authenticate users against Auth0. Here is what I need help with. I now want a third system, another REST API, to be sent some kind of token that proves its a logged in user originating in my mobile app. How would I handle that? Is there a way to get a token from the logged in user on my mobile app, pass it to my api and validate it there?


#2

The API Authorization features can help protect your API through the access token’s issued to a logged in user. For a mobile app, you would be using the Authorization Code (PKCE) flow, outlined here:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce

Note, access_tokens do not contain a “logged in” state - being JWT’s, they have an exp expiry claim after which the token is expired. This expiry can be configured in the API settings in the Auth0 dashboard.


#3