Post User Creating Hook- Security

Hey everyone! I am looking for some guidance on the proper implementation of an Auth0 post user creation hook. Basically what I am trying to do is fire off a post request to my sever with details of newly signed up user. I have implemented that using Axios, which was fairly strait forward. I am however looking to secure that API on my side, one method would be to simply white list the IP’s of the Auth0 Sever, however I don’t consider that a secure API.

I looked around on the documentation and a Bearer token is able to be passed over in the API request. My only issue is that no audience is specified which I believe is required for my API to authenticate. Does anyone have any best practices or a sample document on this type of implementation?

David

Hi @david14,

Welcome to the Community!

This type of setup is a form of M2M Authorization.

You can configure your API in the dashboard, register the hook as an M2M application (client), set up their permissions, then request an access token directly from the hook.

If you were using node for example, this shows you how to set up your API:

This doc shows you how to set up your M2M app (your hook in this case). You can even select the node.js option to display the request in JS:
https://auth0.com/docs/quickstart/backend/nodejs/02-using\

Let me know if you run into anything,
Dan

1 Like

Dan, makes total sense thanks for the heads up!

David

Let us know if you have questions!

Dan,

I successfully implemented a M2M to generate and token to then use on my API. Basically I have two asynchronous functions, one grabs a token then the other makes the actual post request. It performs this each time for the pre and post user registration. Is there the ability to store that token so we are not hitting the Auth0 servers for each request?

David

The only thing I can think of would be using hook secrets, but I don’t think this will persist across hook types.

To clarify what you are asking, are you wanting to share the token between a pre-reg and a post-reg hook (I don’t think this is possible, but you can try it), or share the token between two different signup events (this may be possible)?

This one might take some trial and error.

Let me know,
Dan

Dan,

Thanks for the response, I am trying to share the key between two different signup events.

David

I think this should be possible via the hook secrets that I linked above.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.