API Authentication and Authorization
At some point, your APIs will need to allow limited access to users, servers, or servers on behalf of users.
Auth0's API authorization features allow you to manage the authorization requirements for server-to-server and client-to-server applications.
By using the OAuth 2.0 authorization framework, you can give your own applications or third-party applications limited access to your APIs on behalf of the application itself.
Using Auth0, you can easily support different flows in your own APIs without worrying about the OAuth 2.0/OpenID Connect specification, or the many other technical aspects of API authorization.
Several participants in the OAuth 2.0 specification can be identified:
- Authorization Server: Auth0, in this case
- Resource Servers: your APIs
- Clients: the consumers of your APIs, which can include third-party applications or your own customers
- Resource Owner: the user of your APIs and of the applications
- User Agent: the user's browser or mobile app
Using different grants (or flows), these participants will interact to grant Clients limited access to the Resource Servers you are building. As a result, the Client will obtain an
access_token that can be used to call the Resource Server on behalf of the user or of the Client itself.
- Server to Server Applications: Client Credentials Grant
- Client to Server Applications: Implicit Grant
- Client to Server Applications: Authorization Code Grant
- Public Client to Server Applications: Authorization Code Grant with PKCE
See the following tutorial for a step-by-step guide on using Auth0 to implement the OAuth 2.0 authorization framework within your applications to enable the API Authorization scenarios.
Note: At this moment we only have tutorials for the Client Credentials Grant exchange. Tutorials for other grant types are on the making. In the meantime, if you need assistance or more information please contact our Support Center.
Authorization Code (with PKCE)
- Setting up a Client Credentials Grant using the Auth0's Management Dashboard
- How to ask the Auth0 for an access token for a Resource Server in a Client Credentials Grant
- Using Auth0's Management API for setting up Resource Servers and Client Grants