SPA login, then send data to my own API

I followed the Angular quick start: Auth0 Angular SDK Quickstarts: Login and I got all the way through it to the point where I can dump the logged in user$ to the page and have a look at what I get. It looks like I get this sub field in the result which I can use to uniquely identify the logged in user.

Is it legit to then pass the value of that sub field along to my API routes (e.g. in the payload object of a POST) on my own server to reliably and securely associate the API access with the logged in user? If not is there an article I can read to help me bridge that gap?

Hey there @vicatcu, welcome to the community!

While the sub field does indicate a unique user, it’s a small piece of the overall flow . I definitely recommend taking a look at the following architectural overview which outlines the suggested approach to Authentication/Authorization between a SPA app and API as defined by OAuth/OIDC:

Another article that may be of use:

Hope this helps to get you started in the right direction!

1 Like