We’re evaluating different solutions for allowing 3rd party access to one of our APIs and since we’re already using Auth0 M2M to protect all our internal api-to-api comms, I’m trying to figure out if we can use Auth0 for 3rd party access into our APIs as well.
Api keys should be “ready to use”, and not require jumping through hoops such as replacing id tokens for access tokens, manage token refresh, etc. We want customers to be able to just use an api key header and that’s it
Api keys should be long-lived
API keys will be used for accounting (billing) so it must be possible to identify the api-key used
1000 api keys during next 2 years (but needs to support more than that too)
I’m wondering if Auth0 has any documentation or use-case for this type of scenario?
The use case you describe seems to be subject to M2M authorization.
A machine2machine application requests a bearer token intended for the API and your clients can access its resources by just sending a request with the Authorization header and a received Bearer token.