At some point, your custom APIs will need to allow limited access to users, servers, or servers on behalf of users. Authorization refers to the process of verifying what a user has access to. While often used interchangeably with authentication, authorization represents a fundamentally different function. To learn more, read Authentication and Authorization.

In authorization, a user or application is granted access to an API after the API determines the extent of the permissions that it should assign. Usually, authorization occurs after identity is successfully validated through authentication so that the API has some idea of what sort of access it should grant.

Authorization and access control

Authorization can be determined through the use of policies and rules, which can be used with role-based access control (RBAC). Regardless of whether RBAC is used, requested access is transmitted to the API via scopes and granted access is returned in the issued Access Tokens.

Since only the API can know all of the possible actions that it can handle, it should have its own internal access control system in which it defines its own permissions. To determine a calling application's effective permissions, an API should combine incoming scopes with the permissions assigned within its own internal access control system and make access control decisions accordingly.

Key topics

APIs: Learn the basics, including how to configure APIs in Auth0.

Authentication and Authorization Flows: Learn about the various flows used for authentication and authorization of applications and APIs. See a comparison of authorization and authentication.

Which OAuth 2.0 Flow Should I Use?: The flow you use depends mostly on your application's type, but other parameters weigh in as well, like the level of trust for the Application or the experience you want your users to have. Start here if you need help deciding which flow to use for your use case.

Represent Multiple APIs Using a Single Logical API in Auth0: Learn how to represent multiple APIs using a single logical API.

Revoke Access to APIs using DenyLists or Application Grants: Learn about revoking access to APIs and best practices for doing so.

Renew Tokens When Using Safari: Learn about issues with token renewal in Safari when ITP is enabled and explore workarounds.

User Consent and Third-Party Applications: Learn how to decouple APIs from applications that consume them and define third-party apps that you don't control or may not trust.

Silent Authentication for SPAs: You can use the Authorization Code Flow with PKCE in conjunction with Silent Authentication, which allows applications to indicate that the authorization server must not display any user interaction, to renew sessions in SPAs.

Mitigate Replay Attacks for SPAs: Learn how to securely generate and validate a cryptographic nonce for use with the Implicit Flow with Form Post.

Customize Tokens Using Hooks with Client Credentials Flow: Learn how to use Hooks to change scopes and add custom claims in the access token obtained using the Client Credentials Flow.

Avoid Common Issues with Resource Owner Password Flow and Attack Protection: Learn how to avoid common issues encountered when using the Resource Owner Password Flow to call server-side APIs with attack protection enabled.

Authenticate Using the Resource Owner Password Flow with MFA: If you need to use the Resource Owner Password Flow, but require stronger authentication, you can add multi-factor authentication (MFA).

Learn more