SPA-Laravel: Management API best practices

Current setup:

  • SPA using auth0-spa-js library
  • Laravel API using auth0/login package

I can:

  • Redirect SPA to Universal login to obtain a JWT with the audience for my custom API
  • Use that JWT, in the SPA, to access my API
  • Decode and validate the token in the API

Now I tried to access the Management API with that token, but encountered “401 Bad Audience”. I have since realised that the JWT sent to the SPA (after login) is meant for SPA<->Custom API communication ONLY.

I can see here that to get an access token the client id and secret are used.

  1. So is this the recommended way to approach this? Once the JWT has been validated then the API is safe to use a machine-to-machine id+secret for backend requests, because we know the user is genuine?

  2. There is mention of build a process at your backend that will provide you with a token automatically (and thus simulate a non-expiring token). Is this something implemented in the laravel package at all? I can’t see anything myself.

Thank you for your help.

The requests between your backend API and the Auth0 Management API are should be separated from the user. You should request a separate token, using the client credentials grant (client_id and client_password in exchange for an Access Token).

The flow would go like this:

  • User login returns Access Token through the SPA with your backend API as the audience
  • SPA makes requests to your backend API with the User’s Access Token
  • Your backend validates the request and token and requests its own Access Token with the Management API as the audience (M2M Access Token)
  • Backend API makes any request to the Management API with the M2M Access Token

There are two Access Tokens in this scenario.

  • A token for requests from SPA → backend API (user Access Token)
  • A token for requests from backend API → Management API (M2M Access Token)

I’m not sure where this is stated, or if this is specific to laravel. I can look into it if you provide a link to the source.

1 Like

Get Management API Access Tokens for Production

Excellent, thank you. So I just need to follow the docs above then. The build process quote is at the top of that page. I can build my own solution for this, just didn’t want to reinvent the wheel as it were.

1 Like

Let us know if you have any other questions.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.