SPA and M2M accessing same API

Hey guys, hoping I can get some clarification on the best way to use auth0 for my needs. Am totally new to auth0 so apologies if I am missing something obvious.

I am developing a Vue SPA which consumes data via an API, allowing only authenticated users access. This is all setup and running no problem using auth0-spa-js.

My stumbling point comes in that I also want to be able to offer users access to this API, essentially offering the same functionality as the SPA but in an API they themselves can consume in their own applications.

Now please tell me if I’m wrong but they wouldn’t be able to use the same token that they use behind the scenes for the SPA? So I created a seperate M2M application in auth0, saw that I can define the scopes for my API inside that application and once I have request an access token for the new M2M application I can access the API fine, great!

Then it hits me that this won’t work because without giving out my secret to users, they won’t be able to obtain tokens and also I will have no way of identifying users to manage usage quotas.

This leads me to think that the way to do it is to create a new M2M application for each user? But this seems messy and like it could get overly complicated.

Is there a better way to accomplish this? Thanks :slight_smile:

1 Like

Hi @kyle3,

Welcome to the Community!

It would work, but they would essentially be acting as the SPA, regardless of what app they were making the request from. It would certainly be a bit of a workaround solution.

This would be the most logical way to do it. Give them their own client credentials, the same way you would give out an API key. You can create and delete M2M applications programmatically using the management API, but this will require some setup on your side, and you would need to build out the UI for this feature (if required).

Granted, there are now entity limits that you will have to deal with, so picking the right type of subscription is important.

This is something that has seen some debate on the forum recently and if you could submit a feedback ticket about your use case and needs to our product team we would appreciate it.

Thank you. I had pretty much decided this was the best approach so have already coded most of my own API endpoints in to manage Applications etc so am well on the way.

I didn’t know about entity limits, I should be fine for the foreseeable future but if this approach is one that many people are taking then the 100 max does seem like it could potentially be problematic in the long term!

1 Like

Sounds good, thanks for the follow up. Let us know if you have any more questions!