Auth0 Home Blog Docs

SPA client authentication against multiple APIs

authentication

#1

Is there an easy way to authenticate a client for multiple backend APIs?

We have a React SPA that calls multiple auth0 authenticated APIs on the backend. Is there an easy way to authenticate against both APIs at the same time, or without multiple authentication steps by the user?


#2

A possible strategy to handle multiple API’s, in particular when those API’s are under your control and the reason for having more than one is related in some degree with the concept of micro-services, is document at:

How to Represent Multiple APIs Using a Single Auth0 API

If the multiple API’s are truly independent and/or not completely under your own control then the above does not apply. In this situation, it’s not possible to perform an authorization request at the same time as only one audience parameter and with a single value is currently supported. However, despite the fact that you will need to perform multiple requests to obtain an access token for each API, it’s not mandatory that the user will need to perform multiple authentication steps.

If the first request, the one where providing credentials for authentication will be mandatory, establishes an authenticated session at the IdP (your Auth0 account) then subsequent requests can be made in a way that it does not force the user to provide credentials again. In addition, if none of the API’s truly require an explicit consent screen to be shown then they can be configured to skip consent for your own application which would mean the multiple request could leverage the existing session and automatically complete without any user interaction.

Have in mind, that the consent screen is always shown/required if you’re accessing your application through localhost during development. It is then recommended that you setup your development environment to not make use of localhost.


#3