Providing API Secrets to client

qbressler · December 30, 2023, 11:12pm

I’m sorry if that has been discussed before, but what I’m looking for seems pretty straight forward. I have a RESTful api that I would like to secure. Based on this post, it seems that I’m able to provide our vendors with the client id / client secret to obtain access to the restful API. (How to implement API keys using Auth0?). For the purpose of our API, it will be M2M.

My question is, how would I identify which vendor is logging in based on the client secret? It appears that I’m missing a step somewhere.

Any help would be greatly appreciated.

Thanks!

dawid.matuszczyk · December 31, 2023, 2:18pm

Hi @qbressler

Welcome to the Auth0 Community!

Thank you for posting your question. I’ll respond as soon as I have more information regarding your case.

Thanks
Dawid

KSchmi · January 8, 2024, 3:29pm

The client_id of the vendor will be sent as the subject (sub) claim in the the access token (which is a JWT) that is passed in the authorization header by the vendor when calling your API. So, you can have a table on your side that maps vendor client_ids to their respective vendors and proper permissions for that user principle.