I have a custom REST API that takes in user/password and I see how I can use a custom database connection to integrate that into Auth0. I also see the SDK the would allow my mobile app to authenticate users against Auth0. Here is what I need help with. I now want a third system, another REST API, to be sent some kind of token that proves its a logged in user originating in my mobile app. How would I handle that? Is there a way to get a token from the logged in user on my mobile app, pass it to my api and validate it there?
The API Authorization features can help protect your API through the access token’s issued to a logged in user. For a mobile app, you would be using the Authorization Code (PKCE) flow, outlined here:
Note, access_tokens do not contain a “logged in” state - being JWT’s, they have an exp
expiry claim after which the token is expired. This expiry can be configured in the API settings in the Auth0 dashboard.