ASP.NET Web API (OWIN): Using your API
This tutorial will show you how to use your API. We recommend you to Log in to follow this quickstart with examples configured for your account.
1. Establish two Auth0 Tenants
Calling the API from your application
You can call the API from your application by passing an Access Token in the
Authorization header of your HTTP request as a Bearer token.
In the Auth0 Dashboard
Obtaining an Access Token
If you are calling the API from a Single-Page Application or a Mobile/Native application, after the authorization flow is completed, you will get an Access Token. How you get the token and how you make the call to the API will be dependent on the type of application you are developing and the framework you are using. For more information refer to the relevant application Quickstarts which contain detailed instructions:
If you are calling the API from a command line tool or another service, where there isn't a user entering their credentials, you need to use the OAuth Client Credentials flow. To do that, register a Machine to Machine Application, and then subsequently use the Client ID and Client Secret of this application when making the request below and pass those along in the
client_secret parameters respectively. Also include the Audience for the API you want to call.
For testing purposes, you can also get an Access Token from the Test tab in your API settings.
2. Set up the Auth0 IDP (tenant 2)
Test Your API
1. Calling the secure endpoint
You can make a request to the
/api/private endpoint without passing any Access Token:
The API will return a 401 HTTP (Unauthorized) status code:
Once again, make the same request but this time pass along the Access Token as a Bearer token in the Authorization header of the request:
This time the API will return a successful response:
2. Testing the scoped endpoint
To test the endpoint that requires a scope, pass the Access Token containing the correct scope as a Bearer token in the Authorization header:
If the required scope is present, the API call is successful:
If the required scope is not present, the API returns a 403 HTTP Status (Forbidden):