At some point, your APIs will need to allow limited access to users, servers, or servers on behalf of users.
Auth0's API authorization features allow you to manage the authorization requirements for server-to-server and client-to-server applications.
By using the OAuth 2.0 authorization framework, you can give your own applications or third-party applications limited access to your APIs on behalf of the application itself.
Using Auth0, you can easily support different flows in your own APIs without worrying about the OAuth 2.0/OpenID Connect specification, or the many other technical aspects of API authorization.
Introducing OIDC Conformant Authentication
This document presents an overview of the latest new features and changes in our authentication flows, explain why they were made and points to other detailed tutorials to help you adopt these changes.
OIDC Conformant Authentication Adoption Guide
This guide details all the latest new features and changes and provides suggestions on how to adapt your existing applications.
Which OAuth 2.0 flow should I use?
OAuth 2.0 supports several different grants. Deciding which one is suited for your case depends mostly on your Client's type, but other parameters weight in as well, like the level of trust for the Client, or the experience you want your users to have. Start here if you are not familiar with all that and you need directions in order to decide the proper flow for your case.
Calling APIs from Server-side Web Apps
If your application executes on a server and you want to configure it to use OAuth 2.0 to access an API, read these docs.
Calling APIs from Mobile Apps
If your application is a native app and you want to configure it to use OAuth 2.0 to access an API, read these docs.
Calling APIs from Client-side Web Apps
Calling APIs from a Service
If you want to implement server-to-server interaction, and you want to configure it to use OAuth 2.0, read these docs.
Calling APIs from Highly Trusted Clients
If the application is highly trusted and no other grant can be used, read these docs. In this flow the end-user is asked to fill in credentials (username/password) typically using an interactive form. This information is later on sent to the Client and the Authorization Server. It is therefore imperative that the Client is absolutely trusted with this information.
Why you should always use access tokens to secure an API
Learn about the differences between Αccess Τoken and ID Τoken and why the later should never be used to secure an API.
Dynamic Client Registration
Learn how to allow third party developers to create clients under your account following the OpenID Connect Dynamic Client Registration specification.
Verify Access Tokens
Learn what an API has to do in order to verify a Bearer Access Token.
Restrict User/Client Requests for API Scopes
Learn how to restrict users/clients from requesting API scopes for which they don't have access.
Blacklists and Client Grants
Learn about revoking access to APIs and best practices for doing so.
Frequently Asked Questions on API Authentication and Authorization .