Securely accessing an external API via Auth0 rules

I am using AuthO authentication for login to my application and I have created a rule which hits my API service from inside that rule and the response returned is used to generate the access token which contains some user-information as well. What I want in my applications is to allow access to that endpoint via AuthO only not from any other place. While hitting that endpoint we are not passing any token, etc its just the plain url with username in it.
So how I can I differentiate between a request coming from inside an AuthO rule or from any other source (like Postman, etc)?
Any suggestions will be be extremely helpful . Thanks

Hi @lov.verma , welcome to the community!

As a bare minimum, you could implement an IP AllowList firewall so only requests from Auth0’s server IPs were accepted by your API.

You can find our outbound IPs for your tenant’s region by going to create a Rule in the Tenant Dashboard, when editing your rule code there is a “Heads up!” box listing all the IPs a request sent by a Rule from your tenant’s region could come from.

You may also want to further lock down your API such as with an API key that must be posted in the body of any request to your API; you could store this key in the configuration object for rules so it is not stored in plain text in your rule code:

Please note though that this is not official advice, and if the data being shared by your API is at all sensitive you may want to involve a security professional or enlist our professional services team: Auth0 Professional Services

1 Like

Thanks @sgo , will try this and update if this works for my problem.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.