Using Auth0 to issue API keys for teams with team based rate limits?


I’m responsible to develop a central authentication and authorization service for multiple applications and APIs. However, it seems that those use cases for authorisation are rather complex when using Auth0.

The most complex case seems this: We want to allow users to organise themselves in teams and request API keys to access one of our APIs on behalf of that team. Users can belong to multiple teams and the teams will have different permissions and rate limits for different APIs.

After reading through Auth0 docs, this seems to be one way to solve that. But I’d like to have some input to open questions and whether this concept makes sense at all:

  1. User Tom registers on a MyAccount web application using Auth0.
  2. MyAccount requests an API key for the central authorisation API (hosted by us) using the Authorization Code Flow (with PCKE if MyAccount is a SPA)
  3. Tom sends a create_team request to to create the team some_team
  4. The authorisation API uses Auth0’s Management API to
    a) Create a new resource server (API) on Auth0 (for example using the identifier
    b) Add the team and the users role to the users app_metadata field (for example { "teams": [ {"name": "some_team", role: "admin"} ]}
  5. Tom now switches to the team page on the MyAccount web app which then requests an access token for (using the Authorization Code Flow again)
  6. An Auth0 rule now checks on that authorisation request that Tom belongs to some_team (otherwise returns unauthorised) and adds the role admin to the token.
  7. Tom now can access the teams page and is able to add/remove other users via endpoint (Question: How can query Auth0 for all users belonging to team some_team?)
  8. We now want to allow some_team access to with custom rate limits, so
    a) One of our admins sends a set_permissions request to to allow some_team to access with a limit of 1000 requests per second.
    b) The API either stores this internally in a database or uses the Management API to write this to Auth0 (Question: Where would we store such team based parameters in Auth0?)
    c) also uses the Management API to create a new resource server (API)
  9. Tom now wants to create an API key to access on behalf of some_team, so:
    a) The MyAccount applications requests a refresh_token for via using the Authorization Code Flow
    b) An Auth0 rule now checks that Tom belongs to some_team (otherwise returns unauthorised) and adds the custom rate limit to the access token.
    c) The refresh token is displayed to Tom, which he can now use to get short lived access tokens. He does this by proxying the request through which uses its client id and secret to be able to refresh access tokens.
    d) Tom uses those access tokens to request data from, while ourapi is applying the teams rate limits.

This seems rather complicated though and I’m not sure if it’s not easier to just issue our own JWTs for API access and have API permissions stored in our own database (and use Auth0 only to handle access tokens for But maybe I’m also getting this wrong and there is an easier way to solve this use case?