Using App Metadata to customize access token per client for M2M applications

gavin3466 · January 6, 2023, 7:31am

I have an API that needs to authorize access based on company_id. One way to do it is to maintain a mapping of the company ID and all the client IDs (M2M apps) it generates. I am wondering whether it’d be better/secure to just embed the company ID in the access token instead. Here is the workflow I plan to implement -

when a company creates the M2M app (via our portal), we put the company_id in the app metadata;
we then use Action to put App Metadata in the Access token as a custom claim;
Our API upon receiving the access token, decodes jwt and extract company_id and use it for authorization.

Will this work? Is that any security issue with this approach?

Thanks!!!

rueben.tiow · January 6, 2023, 5:21pm

Hi @gavin3466,

Thanks for reaching out to the Auth0 Community!

Yes! Your proposed approach will work and will be a secure way to handle authorization.

Here is a helpful FAQ resource I recommend reading: Adding custom claims to tokens

Please let me know if you have any additional questions.

Thanks,
Rueben

system · January 20, 2023, 5:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Implementing personal access token Help	10	3462	October 5, 2022
What is the correct method to protect client-facing API? Help access-token	4	2106	October 27, 2023
Inserting Metadata Into Requests Help api , m2m	3	3161	October 6, 2021
Auth0 Actions for M2M to return Application metadata in JWT Help management-api , clients	2	934	August 16, 2023
M2M Tokens with org_id Help product-feature-request , customer-feedback	4	149	July 10, 2024

Using App Metadata to customize access token per client for M2M applications

Related Topics