I have been asked to look into the possibility of securing Machine to Machine API’s using a JWT token, using the Auth0 stack. (see Client Credentials Flow )
Our configuration requirements are :
Host API
- API hosted with Azure API Management
- Simple Get request returning json for a given identifier
Client API
- Client API calls host api 10000’s of times a day so needs to be very responsive
- No human interaction
- Limited client technical knowledge
- No ability to renew JWT token as no UI
Is the above possible, and more importantly performant ?
If not what would be a better approach to secure the API, (API Keys, Certificates, White Listing etc…) ?
Hi Robert,
Using M2M (aka Client Credentials) will definitely work in your case. There are other approaches (as you note) that work too.
JWTs are performant: verification of a JWT only requires the signing keys, and those should be cached.
JWTs can be renewed - actually, the client API requests a new JWT from Auth0 when the old JWT expires, but as this is M2M there is no human interaction or UI to do this.
John
1 Like
Thanks John,
I would like to test out using JWT’s, but the examples provided don’t quite cover my scenario, and are not easy to follow. Can you advise the steps required and/or provide a simple example?
Thanks
Rob
Hi Rob,
Try the quickstart here: Call Your API from a Machine-to-Machine App
And for info on token validation see here: Validate JSON Web Tokens
John