Tokens for API fallthrough

Hello everyone,

I’m trying to figure out how to set up the login workflow correctly so that our users can login once, get access token and then use it for authentication in our APIs. The issue is that I cannot yet grasp how to set up and request tokens for our APIs.

Essentially our infrastructure is this

Mobile user → API → Internal API

Where mobile user logs in via username/password into Auth0 and then uses the token to access API. In turn, API will call Internal API to perform actual work.

My question is how to request access token so that I can pass it to Internal API? Must I request another access token inside API for Internal API every call, or can I re-use API token and pass it there? The second approach is the best, but as far as I can see there’s no option to request access token with multiple audiences. Instead it’s recommended to use scopes, but then how I do receive access token without an audience?

Thank you.

Hi @JasonVyyer,

The mobile app would request an AT for the API, and the API would request a second access token for the Internal API.

Each user will use a different access token that is unique to them, and the middle API can request a single token to make requests against the Internal API, and use that same token until it expires.

Does that help?

Hi @dan.woda, yes, that’s the idea I was leaning towards, but what kind of request do I need to make from API to get token for the Internal API?

The middle API will be registered as a Machine to Machine application (M2M) and will use the client credentials flow.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.