Using App Metadata to customize access token per client for M2M applications

I have an API that needs to authorize access based on company_id. One way to do it is to maintain a mapping of the company ID and all the client IDs (M2M apps) it generates. I am wondering whether it’d be better/secure to just embed the company ID in the access token instead. Here is the workflow I plan to implement -

  1. when a company creates the M2M app (via our portal), we put the company_id in the app metadata;
  2. we then use Action to put App Metadata in the Access token as a custom claim;
  3. Our API upon receiving the access token, decodes jwt and extract company_id and use it for authorization.

Will this work? Is that any security issue with this approach?

Thanks!!!

Hi @gavin3466,

Thanks for reaching out to the Auth0 Community!

Yes! Your proposed approach will work and will be a secure way to handle authorization.

Here is a helpful FAQ resource I recommend reading: Adding custom claims to tokens

Please let me know if you have any additional questions.

Thanks,
Rueben

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.