PHP API: Using your API

PHP API: Using your API

Gravatar for
By Josh Cunningham

This tutorial will show you how to use your API. We recommend you to Log in to follow this quickstart with examples configured for your account.

Index of Configurable Options

Calling the API from your application

You can call the API from your application by passing an Access Token in the Authorization header of your HTTP request as a Bearer token.


Obtaining an Access Token

If you are calling the API from a Single-Page Application or a Mobile/Native application, after the authorization flow is completed, you will get an Access Token. How you get the token and how you make the call to the API will be dependent on the type of application you are developing and the framework you are using. For more information refer to the relevant application Quickstarts which contain detailed instructions:

If you are calling the API from a command line tool or another service, where there isn't a user entering their credentials, you need to use the OAuth Client Credentials flow. To do that, register a Machine to Machine Application, and then subsequently use the Client ID and Client Secret of this application when making the request below and pass those along in the client_id and client_secret parameters respectively. Also include the Audience for the API you want to call.

Auth0 customers are billed based on the number of Machine to Machine Access Tokens issued by Auth0. Once your application gets an Access Token it should keep using it until it expires, to minimize the number of tokens requested.

For testing purposes, you can also get an Access Token from the Test tab in your API settings.


Test Your API

1. Calling the secure endpoint

You can make a request to the /api/private endpoint without passing any Access Token:

The API will return a 401 HTTP (Unauthorized) status code:

Response for unauthorized API request

Once again, make the same request but this time pass along the Access Token as a Bearer token in the Authorization header of the request:

This time the API will return a successful response:

Response for authorized API request

2. Testing the scoped endpoint

To test the endpoint that requires a scope, pass the Access Token containing the correct scope as a Bearer token in the Authorization header:

If the required scope is present, the API call is successful:

Response for scoped API request

If the required scope is not present, the API returns a 403 HTTP Status (Forbidden):

Response for forbidden scoped API request

Use Auth0 for FREE