Personal Access Tokens or API Keys

Feature: Personal Access Tokens or API Keys

Description: Often, one wants to grant users access to the API without requiring a typical log in flow. This is either because users want to grant trusted third parties or themselves access in a programmatic setting where a typical login flow would not make sense.

For example, GitHub generates personal access tokens which can be used to access the API, and can be revoked.

Use-case: This is a use case useful for not pushing the burden of logging in to a developer application. For example, in a CLI or a python library, it would be very cumbersome to implement a authentication flow with social, that requires popping up a browser and capturing the access token.

Instead, users could generate a Personal Access Token in order to make API calls programmatically. This is different from M2M use cases, because we want API calls to be restricted the user specific information.

Currently, there is no support for this, which would require use to either implement a cumbersome login in process for programmatic users, implement API keys on our own, or extend the expiration of access tokens to a very large number which is less safe.

Hey there!

Thanks for creating this feedback card! Let’s see who else will vote for that!

This sound so interesting and usefull !


Thanks for adding your +1!

1 Like

@konrad.sopala, any update on this feature, if its going to be supported soon. Seems like a basic feature for supporting API based access.

1 Like

It would be great to get this feature !


vote for this one too. my use case is that we need to develop a WooCommerce plugin for merchants. So these merchants will set up the appid and secrets in our WooCommerce plugin. so the plugin will communicate to our backend. I was thinking to create one application per merchants, however it seems having limited on the applications we can create. do you have any suggestions?



It would be super great if we can have this feature.


Hey everyone, I think this would be a great addition to Auth0, too, and since we don’t know if they will build it…

I’d like to build it myself. :grinning: I think an integration to the Auth0 marketplace or something of that like would be great! If you’re interested, do you mind dropping your email on my landing page? I need to see how many people are interested myself. Thanks!

Landing page:

Yes, this feature would be greatly appreciated for the following reasons:

  1. You can connect the traffic of the API key user with his Webapp user. This is relevant if you charge per traffic consumption.

  2. It’s a cleaner system design. Right now, say you only had 2 applications (a Mobile app and a Webapp), and you create M2M applications for all of your thousands of users, the real 2 applications would be burried through the thousands of superflus applications. They are NOT applications, they are just a different way to login into the system.

I found this official blog article from 2014 that evokes the idea of using JWT as API keys. I think this is a good starting point for a solution, but has the following challenges:

Using access token isn’t a good fit for API keys as access tokens cannot be revoked.

Refresh tokens can be revoked and can have a duration up to 1 year, which is reasonable.

This solution would be satisfying if these two things are possible:

  1. Is it possible validate the reresh tokens the same way you validate access tokens ?

  2. Can you inject the permissions or other data in the refresh token ?

I will be very happy to see a feature like this.
Sounds logical that auth0, as an IAM will have an extra feature for personal access tokens, with different time limitation options + revoke option.

It’s in the roadmap?

1 Like