SPA + API without login

Hi,

I recently followed this article to secure my API but as I move into production, I’d like to programatically fetch my access token.

A bit of context:

  • I have a Lumen API with all of its endpoints secured and so is expecting a token for each call. I’ve registered the API in the Auth0 dashboard and for testing purposes I’ve been grabbing it manually from there and pasting it into my react app config files.

  • I have a React app which makes calls to this API, each time passing in the access token.

All examples I’ve seen about spa + api include a login feature on the spa side, which I’m not making use of.

So my question: Is this the right approach - having my react app fetch the token to then pass to my API? Keeping in mind there is no login functionality in my application so essentially whoever stumbled onto it can programatically grab the access token and fetch from the api.

If so, what I’ve currently implemented (following above article) is coming back with a ‘required login’ error when I tried to getTokenSilently(); (see below)

Am I going about this all wrong and do I absolutely need a login page?

Hi @nats369,

Welcome to the Community! I apologize for the delayed response.

There isn’t technically a way to secure a public client without some piece of unique data, like a login. If you were to add a client secret and create a machine to machine application, the client secret could just be inspected by any user, and then used to make calls to your API.

Hope this clarifies,
Dan