Use Auth0 to secure public api with 3rd party access

We’re evaluating different solutions for allowing 3rd party access to one of our APIs and since we’re already using Auth0 M2M to protect all our internal api-to-api comms, I’m trying to figure out if we can use Auth0 for 3rd party access into our APIs as well.

Some requirements:

  • Api keys should be “ready to use”, and not require jumping through hoops such as replacing id tokens for access tokens, manage token refresh, etc. We want customers to be able to just use an api key header and that’s it
  • Api keys should be long-lived
  • API keys will be used for accounting (billing) so it must be possible to identify the api-key used
  • 1000 api keys during next 2 years (but needs to support more than that too)

I’m wondering if Auth0 has any documentation or use-case for this type of scenario?

Hi @trondhindenes ,

The use case you describe seems to be subject to M2M authorization.

A machine2machine application requests a bearer token intended for the API and your clients can access its resources by just sending a request with the Authorization header and a received Bearer token.

Maximum value for Token Expiration is 2,592,000 seconds (30 days).

There are monthly reports of the subscription usage - Monitor Subscription Usage

The pricing page shows the monthly limits (please uncover the “Compare plans” tab) - Pricing - Auth0

One known challenge with this approach is that currently there’s no built-in mechanism to control how often your customers request a new access token for the API. There is a product feature request and you are welcome to upvote. It’s here: Add rate limiting and cache for m2m token authentication endpoints

There’s also a guidance developed by our developers to help with that (it’s downloadable and can be found in this post) - Limit Client requests on Machine to Machine flow - #2 by peter.fernandez

Hope this helps and feel free to reach out with questions!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.