Hi,
We’re evaluating different solutions for allowing 3rd party access to one of our APIs and since we’re already using Auth0 M2M to protect all our internal api-to-api comms, I’m trying to figure out if we can use Auth0 for 3rd party access into our APIs as well.
Some requirements:
Api keys should be “ready to use”, and not require jumping through hoops such as replacing id tokens for access tokens, manage token refresh, etc. We want customers to be able to just use an api key header and that’s it
Api keys should be long-lived
API keys will be used for accounting (billing) so it must be possible to identify the api-key used
1000 api keys during next 2 years (but needs to support more than that too)
I’m wondering if Auth0 has any documentation or use-case for this type of scenario?
The use case you describe seems to be subject to M2M authorization.
A machine2machine application requests a bearer token intended for the API and your clients can access its resources by just sending a request with the Authorization header and a received Bearer token.
Maximum value for Token Expiration is 2,592,000 seconds (30 days).
The pricing page shows the monthly limits (please uncover the “Compare plans” tab) - Pricing - Auth0
One known challenge with this approach is that currently there’s no built-in mechanism to control how often your customers request a new access token for the API. There is a product feature request and you are welcome to upvote. It’s here: Add rate limiting and cache for m2m token authentication endpoints