Enabling API Access to the Authorization Extension


Currently, we provide two ways of implementing role-based access control (RBAC), which you can use in place of or in combination with your API's own internal access control system:

We are expanding our Authorization Core feature set to match the functionality of the Authorization Extension and expect a final release in 2020. Our new core RBAC implementation improves performance and scalability and will eventually provide a more flexible RBAC system than the Authorization Extension.

For now, both implement the key features of RBAC and allow you to restrict the custom scopes defined for an API to those that have been assigned to the user as permissions. For a comparison, see Authorization Core vs. Authorization Extension.

Once configured and set up, your extension should contain users, as well as groups, roles, and permissions. You can automate provisioning and query the authorization context of your users in real-time if you enable API access to your extension.

Enable API Access

Log in to the Management Dashboard, and open up the Authorization Extension.

To get to API section, click on your Auth0 tenant name on the top right of the Authorization Dashboard. Click API.

Click API

On the Settings page, use the toggle to enable API Access.

Enable API Access

Once enabled, you'll be able to see or control (within the extension) some of the parameters of the tokens issued by the API. You can control the time to expiration of the token, as well as view the token's audience, issuer, and URL to access the API.

API Access Enabled

Access the Extension's API

When you enabled API access to the extension, Auth0 automatically created an API for your use in the Dashboard. To access the API, you'll need to create a Machine to Machine Application, which is the entity that interacts with the API itself.

Create the Application

In the Applications section of the Dashboard, click Create Application. Name your new Application, and choose the Machine to Machine Application type. Click Create to proceed.

You'll be redirected to the Quick Start page of the Application, where you can customize the living documentation based on the API with which you'll use the Application. Select the API that Auth0 created for your extension (it should be called auth0-authorization-extension-api or similar).

Since this is the first time you're working with the API and Application together, you'll see a message that says, "This application is not authorized for this API." To authorize the application for use with the API, click Navigate to the API and Authorize.

Application Quick Start Page

You'll see a list of Machine to Machine Applications you can use with your API. Click the slider next to the Application you just created to authorize it.

Authorize Application

Once you've authorized the Application, you'll see the Grant ID. You can also select the Scopes to be granted to the Application. The scopes you grant depends on the endpoints you want to access. For example, you'd grant read:users to get all users.

If you make any changes to the scopes, click Update to save.


Get the Access Token

To access the API, you'll need to ask for and obtain the appropriate token.

Call the API

You can call the API via:

  • An HTML request
  • A cURL command

You can also find detailed information about the endpoints, as well as samples on how to call each endpoint using the three methods above, in the Authorization Extension API Explorer.

You can also refer to the API Explorer, which documents everything you can do via command line once you've enabled access to your extension via API.

Click over to the Explorer page for the API documentation.


Keep Reading