Protect Your API
Everything you need to know to protect your API
Using Auth0 to protect your API means that you will be "outsourcing" the authentication process to a centralized service that will help you ensure only approved applications can access your data. The calling application will authenticate the user, and Auth0 will generate tokens that can be passed to your API. Auth0 can also help you verify the tokens you receive from the applications that call your API.
How it works
Your API will receive a request including an Access Token:
- An app authenticates a user with Auth0.
- Auth0 responds with the user's ID Token and Access Token.
- The app calls your API, passing along the Access Token.
- Your API validates the Access Token.
- Your API responds with the requested information.
Implementation overview
- 1
Configure your API
Auth0 supports access from various application types. If you expect a machine-to-machine (M2M) app to call your API, go to the dashboard and authorize them to request Access Tokens.
You can also allow your API to skip user consent for your own apps and identify your API's scopes. If you're building a public-facing API, you'll need to let external callers know which of these scopes are available to them and provide guidance on how they can call your API. - 2
Use a JWT validation library to validate tokens
The library will take care of the details of parsing and validating the received tokens. This consists of a series of steps, and if any of these fails, then you must reject the application's request. Follow one of our Backend/API Quickstarts to get started. - 3
Respond to the request
Once your token has been successfully validated, respond to the calling application with their requested data.
Keep reading
Guides
Step-by-step instructions for tasks
Concepts
Understand the fundamentals
What's next
- Auth0 offers many ways to personalize your user's login experience and customize tokens using rules and hooks.
- Learn how to call your API from your app: Call Your API from My Native/Mobile App, Call Your API from My Regular Web App, Call Your API from Your Single-Page App, or Call Your API from a M2M App.
- If you are building your own application and you want to log users in using Auth0, learn to add login to your app: Add Login to Your Native/Mobile App, Add Login to Your Regular Web App, or Add Login to Your Single-Page App.
Was this article helpful?
Any suggestion or typo? Edit on GitHub