I’m writing a new API. The API is fronted by AWS API Gateway.
I want to onboard users such that they can use the API with a shared API secret, that is a managed secret that is enrolled in Auth0 to authenticate a consumer of the API.
The consumer will use their API secret (which will be given to the user manually/out-of-band for now), to call an API endpoint like /get_jwt_auth, which will fetch a JWT provided by Auth0.
I want the ability to disable/blacklist/refuse a consumer based on API secret at any time, and maybe issue a new one (manually) in case there is a breach or compromise on the consumer.
What specific workflow/system do I need to use to make this happen with Auth0?
Do I want to use “client credentials grant” or “OAuth2 authentication code”? How do I do this with API Gateway using custom authorisers?