Securing a REST API for multiple SAAS users

Hi All,

I need some advice on the correct approach to do a common task. My apologies if this has been asked in the past but things seem to move pretty fast in the world of Auth0! so I want to make sure I’ve got the latest/more appropriate approach.

We have a SAAS product for analysing chatbot data (built in React/GraphQL). This is an SPA with Custom API all secured by Auth0 and works fine.
Users login to the portal and can view the chat data for each chatbot they have added.
We harvest the data via a REST API which our clients POST transcripts to. It’s this REST API which we also need to secure with Auth0 and where I need clarification.
I want to allow our users to be able to create an API key and SECRET in our portal which they can then send in requests to log data to our secured REST API. The most preferable is that the users just create their own key by clicking on a button or whatever and then we can allow them to recreate if needed. Similar to Heroku’s API key creation.
So, I’m presuming this is a machine to machine login for each user on our portal, each user will have their own key/secret and use these to log their data.

What would be the best approach to achieve this?

Thanks in advance


Hi @adrian

Do users manually submit chatbot data or is it an automated process. I assume the latter. If it is the former, you’d just secure the API with an access token like you do for the SPA’s API.

You are correct: M2M(aka Client Credentials) is the right way to do this.
Each user will get a Client Credentials app (which has a client ID and secret) and use this to get an access token.


Hi John,

thanks for getting back to me so quickly much appreciated!
Yes the latter, our users will either use our native SDKs or just call the REST API directly each time there is interaction with their chatbot.
So how do I create a Client Credentials app for a user if I want to be able to carry out this process from our SPA (not manually on the Auth0 dashboard). As per workflow I suggested? I guess that’s the last piece of the puzzle I’m missing.


Your backend API would use the management API to create the client :!/Clients/post_clients


What @chrisw said :slight_smile:


thanks @john.gateley and @chrisw, much appreciated.
I’ve managed to create a M2M client by calling!/Clients/post_clients
One last question, how do I authorise it against my API?, if I look at the list of APIs for the added account in the dashboard none of them are authorised
I guess I need to do the following with the management api?
“You can authorize this application to request access tokens for these APIs by executing a client credentials exchange.”
Or maybe I missed a param on creating my Client credentials app in the first place.

1 Like

Ignore that last question…I was being talentless! I called!/Client_Grants/post_client_grants
All good now, thanks for the help!

1 Like

Glad you have it working now!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.