We would like to offer a test environment to our end users, so that they can develop and create demo apps with no fees.
We decided for a single API endpoint, but are unsure how to validate that the test environment is being used. We would prefer to avoid a dummy
test parameter in the body, or headers.
The solution we have in mind is to create a second API in Auth0 dashbaord, pointing to the same endpoint, but using a different Topic.
That way, the API backend can detect which topic is being used, and adapt the behaviour…
Is this a recommended solution? Are there any best practices for this use case?
I’m afraid that this steps a bit outside of the scope of the authentication service; as in, can you have multiple API’s in Auth0 dashboard and have them be associated with the same actual API implementation? Yes, you can, although on the API implementation side you would need to accept access tokens from multiple audiences which may be something that may or may not have built-in support in some validation libraries.
The above is indeed possible, but I would recommend you to check how simple it would be in your stack to have the validation of multiple audiences.
Now the question around should you do such flow over other possible alternatives is what goes a bit out of scope. From a personal perspective I would likely tend to favour a separate test endpoint (
https://staging.api.example.com) versus the production endpoints (
https://api.example.com) even if most of the logic would be reused, but this is mostly a personal opinion.