Hey guys, hoping I can get some clarification on the best way to use auth0 for my needs. Am totally new to auth0 so apologies if I am missing something obvious.
I am developing a Vue SPA which consumes data via an API, allowing only authenticated users access. This is all setup and running no problem using auth0-spa-js.
My stumbling point comes in that I also want to be able to offer users access to this API, essentially offering the same functionality as the SPA but in an API they themselves can consume in their own applications.
Now please tell me if I’m wrong but they wouldn’t be able to use the same token that they use behind the scenes for the SPA? So I created a seperate M2M application in auth0, saw that I can define the scopes for my API inside that application and once I have request an access token for the new M2M application I can access the API fine, great!
Then it hits me that this won’t work because without giving out my secret to users, they won’t be able to obtain tokens and also I will have no way of identifying users to manage usage quotas.
This leads me to think that the way to do it is to create a new M2M application for each user? But this seems messy and like it could get overly complicated.
Is there a better way to accomplish this? Thanks