Securing Machine to Machine API's using a JWT token

I have been asked to look into the possibility of securing Machine to Machine API’s using a JWT token, using the Auth0 stack. (see https://auth0.com/docs/flows/concepts/client-credentials )

Our configuration requirements are :

Host API

  • API hosted with Azure API Management
  • Simple Get request returning json for a given identifier

Client API

  • Client API calls host api 10000’s of times a day so needs to be very responsive
  • No human interaction
  • Limited client technical knowledge
  • No ability to renew JWT token as no UI

Is the above possible, and more importantly performant ?
If not what would be a better approach to secure the API, (API Keys, Certificates, White Listing etc…) ?

Hi Robert,

Using M2M (aka Client Credentials) will definitely work in your case. There are other approaches (as you note) that work too.

JWTs are performant: verification of a JWT only requires the signing keys, and those should be cached.

JWTs can be renewed - actually, the client API requests a new JWT from Auth0 when the old JWT expires, but as this is M2M there is no human interaction or UI to do this.

John

1 Like

Thanks John,

I would like to test out using JWT’s, but the examples provided don’t quite cover my scenario, and are not easy to follow. Can you advise the steps required and/or provide a simple example?

Thanks

Rob

Hi Rob,

Try the quickstart here: https://auth0.com/docs/microsites/call-api/call-api-m2m-app

And for info on token validation see here: https://auth0.com/docs/tokens/guides/validate-jwts

John