Using Auth0 to protect your API means that you will be "outsourcing" the authentication process to a centralized service that will help you ensure only approved applications can access your data. The calling application will authenticate the user, and Auth0 will generate tokens that can be passed to your API. Auth0 can also help you verify the tokens you receive from the applications that call your API.
Your API will receive a request including an Access Token:
- An app authenticates a user with Auth0.
- Auth0 responds with the user's ID Token and Access Token.
- The app calls your API, passing along the Access Token.
- Your API validates the Access Token.
- Your API responds with the requested information.
1
Configure your API
Auth0 supports access from various application types. If you expect a machine-to-machine (M2M) app to call your API, go to the dashboard and authorize them to request Access Tokens.
You can also allow your API to skip user consent for your own apps and identify your API's scopes. If you're building a public-facing API, you'll need to let external callers know which of these scopes are available to them and provide guidance on how they can call your API.
2
Use a JWT validation library to validate tokens
The library will take care of the details of parsing and validating the received tokens. This consists of a series of steps, and if any of these fails, then you must reject the application's request. Follow one of our
Backend/API Quickstarts to get started.
3
Respond to the request
Once your token has been successfully validated, respond to the calling application with their requested data.
Keep reading
Guides
Step-by-step instructions for tasks
References
API endpoints, libraries, and best practices
Concepts
Understand the fundamentals