Protect Your API

Protect Your API

Everything you need to know to protect your API

Using Auth0 to protect your API means that you will be "outsourcing" the authentication process to a centralized service that will help you ensure only approved applications can access your data. The calling application will authenticate the user, and Auth0 will generate tokens that can be passed to your API. Auth0 can also help you verify the tokens you receive from the applications that call your API.

How it works

Your API will receive a request including an Access Token:

  1. An app authenticates a user with Auth0.
  2. Auth0 responds with the user's ID Token and Access Token.
  3. The app calls your API, passing along the Access Token.
  4. Your API validates the Access Token.
  5. Your API responds with the requested information.
Flow Overview for Protect API

Implementation overview

  1. 1

    Configure your API

    Auth0 supports access from various application types. If you expect a machine-to-machine (M2M) app to call your API, go to the dashboard and authorize them to request Access Tokens.
    You can also allow your API to skip user consent for your own apps and identify your API's scopes. If you're building a public-facing API, you'll need to let external callers know which of these scopes are available to them and provide guidance on how they can call your API.
  2. 2

    Use a JWT validation library to validate tokens

    The library will take care of the details of parsing and validating the received tokens. This consists of a series of steps, and if any of these fails, then you must reject the application's request. Follow one of our Backend/API Quickstarts to get started.
  3. 3

    Respond to the request

    Once your token has been successfully validated, respond to the calling application with their requested data.

Keep reading


API endpoints, libraries, and best practices


Understand the fundamentals

What's next