An API is an entity that represents an external resource, capable of accepting and responding to protected resource requests made by applications. In the OAuth2 spec, an API maps to the Resource Server.

When an application wants to access an API's protected resources, it must provide an Access Token. The same Access Token can be used to access the API's resources without having to authenticate again until it expires.

API permissions

Each API has a set of defined permissions. Applications can request a subset of those defined permissions when they execute the authorization flow, and include them in the Access Token as part of the scope request parameter. To learn more about scopes, see API Scopes.

Configure an API

To protect an API, you must register an API using the Auth0 Dashboard. To learn more, see Register APIs.

Before you register any APIs in the Auth0 Dashboard, one API will already exist: the Auth0 Management API. To learn more about the features of the Management API and its available endpoints, see Management API.

Learn more