Hi @testiam! If I understand your question correctly, you’re looking to use the access token you receive after logging in from an SPA to call your secured API Gateway? (If this isn’t correct, feel free to let me know!)
If you followed an SPA example from our documentation, I’m assuming that your SPA is using auth0-spa-js. If this is the case, you’ll need to add your Auth0 API Audience to the Auth0 configuration. Here’s how it would work in the vanilla JS example I linked in the beginning of this paragraph:
- Add the API audience (this is
https://auth0-jwt-authorizerin the JWT Authorizer article) to theauth0_config.jsonfile:
{
"domain": "{DOMAIN}",
"clientId": "{CLIENT_ID}",
"audience": "{API_AUDIENCE}"
}
- Wherever you’re calling
createAuth0Clientin your code, you’ll need to pass the audience in as an option:
// ..
const configureClient = async () => {
const response = await fetchAuthConfig();
const config = await response.json();
auth0 = await createAuth0Client({
domain: config.domain,
client_id: config.clientId,
audience: config.audience, // ADD THIS LINE
});
};
When you log in, you should now be prompted to allow access to your AWS JWT Authorizer API. If you allow it, the access token you get back should now contain the proper claims that allow it to be used in requests to your API Gateway. You’ll need to manually set the Authorization header with the access token:
const accessToken = "...";
const apiGatewayURL = "https://[SUBDOMAIN].amazonaws.com/default/wish-list-service";
const data = {};
fetch(apiGatewayURL, {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": `Bearer ${accessToken}`
},
body: JSON.stringify(data)
});
(Note: I haven’t tested this sample request myself; there may be more configuration to do here to handle Cross-Origin Requests. See an earlier response in this thread for more information about making CORS work on API Gateway.)
Hope that helps!