What is the right way to allow multiple users in different client organizations to access an API?

We have a web application that allows users from different Organizations to access the application. Some organizations use username / password, and some use SAML2.0

We now need to provide API access to these users as well.

I’ve read Direct User Authentication for a Standalone REST API and What is the correct method to protect client-facing API? - #3 by haoran and I’m still not clear on the right way to do this.

The second link suggests that we should create a machine-to-machine application for each customer, but that would mean managing 2 sets of credentials, and some of our users may struggle with that, causing friction.

Is there a simple programatic way (that doesn’t rely on us creating an endpoint that we host)for a user to use their organization’s authentication process (username/password or SAML) to get a token that could then be included as a header in REST requests to authenticate the user?

For the web app, we already have a flow that adds roles and organization information to the token with api.idToken.setCustomClaim and then creates a JWT token.


Hey there @WTP welcome to the community!

If I’m not mistaken, it sounds like a very standard scenario which is outlined here - Basically, when a user logs in to your web app you will include an audience param and scopes/permissions related to the API registered in Auth0. Your web app will then make requests to your API with the user’s access token at which point the API will validate it, and perform any necessary actions. Auth0 provide various Backend SDKs to make this process easier.

These posts seem to be more directed at the Auth0 equivalent of API Keys, which are client credentials. Some more on that here:

Let us know if this helps to clarify at all!