Auth0 Home Blog Docs

Restrict first-party clients to specific APIs




  1. Multiple first-party clients are configured with different valid callback URLs. Say FP-Client-A, FP-Client-B, FP-Client-C, each with a different set of callback URLs.
  2. We have multiple APIs. Say, API-X, API-Y, API-Z.
  3. All APIs are for first-party use at this time. Users should never be asked for consent when requesting access token for these APIs.
  4. However, clients should only be able to get access tokens for specific APIs. ie, FP-Client-A is allowed access to API-X, but no others. FP-Client-C is allowed access to API-X, API-Y, and API-Z. FP-Client-B is allowed access to none of these APIs (only identity).

How do I accomplish this?

The goal is to ensure that a developer (or attack) with only access to FP-Client-A from getting tokens for anything other than API-X. ie, limit the scope of any attack, whether coming from an internal or external entity.