Android: Calling APIs

View on Github

Android: Calling APIs

Gravatar for
By Luciano Balmaceda

This tutorial will show you how to use Access Tokens to make authenticated API calls. We recommend you to Log in to follow this quickstart with examples configured for your account.

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it out on Github.

View on Github
System requirements: Android Studio 2.3 | Android SDK 25 | Emulator - Nexus 5X - Android 6.0

You may want to restrict access to your API resources, so that only authenticated users with sufficient privileges can access them. Auth0 lets you manage access to these resources using API Authorization.

This tutorial shows you how to access protected resources in your API.

Before You Start

Before you continue with this tutorial, make sure that you have completed the previous tutorials. This tutorial assumes that:

  • You have completed the Session Handling tutorial and you know how to handle the Credentials object.
  • You have set up a backend application as API. To learn how to do it, follow one of the backend tutorials.

Create an Auth0 API

In the APIs section of the Auth0 dashboard, click Create API. Provide a name and an identifier for your API. You will use the identifier later when you're preparing the Web Authentication. For Signing Algorithm, select RS256.

Create API

Add a Scope

By default, the Access Token does not contain any authorization information. To limit access to your resources based on authorization, you must use scopes. Read more about scopes in the scopes documentation.

In the Auth0 dashboard, in the APIs section, click Scopes. Add any scopes you need to limit access to your API resources.

You can give any names to your scopes. A common pattern is <action>:<resource>. The example below uses the name read:messages for a scope.

create scope


Get the User's Access Token

To retrieve an Access Token that is authorized to access your API, you need to specify the API Identifier you created in the Auth0 dashboard before. At the top of the class add the constants for accessing the API: API_URL and API_IDENTIFIER

// app/src/main/java/com/auth0/samples/

private static final String API_URL = "localhost:8080/secure";
private static final String API_IDENTIFIER = "";

private void login() {
    Auth0 auth0 = new Auth0(this);

            .start(LoginActivity.this, new AuthCallback() {
                public void onFailure(@NonNull Dialog dialog) {
                    // Show error Dialog to user

                public void onFailure(AuthenticationException exception) {
                    // Show error to user

                public void onSuccess(@NonNull Credentials credentials) {
                    // Verify tokens and Store credentials

For instructions on how to authenticate a user, see the Login tutorial.

Attach the Token

To give the authenticated user access to secured resources in your API, include the user's Access Token in the requests you send to the API.

In this example, we use the OkHttp library.

Create an instance of the OkHttpClient client and a new Request. Use the provided builder to customize the Http method, the URL and the headers in the request. Set the Authorization header with the token type and the user's Access Token. In the sample project an accessToken field is set upon authentication success with the credentials.getAccessToken() value.

Depending on the standards in your API, you configure the authorization header differently. The code below is just an example.

// app/src/main/java/com/auth0/samples/

OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
        .addHeader("Authorization", "Bearer " + accessToken)

Send the Request

Tell the client to create a new Call with the request you created. Call the enqueue function to execute the request asynchronously.

// app/src/main/java/com/auth0/samples/

client.newCall(request).enqueue(new Callback() {
    public void onFailure(Request request, final IOException e) {
        // Show error

    public void onResponse(final Response response) throws IOException {
        if (response.isSuccessful()) {
            // API call success
        } else {
            // API call failed. Check http error code and message

You need to configure your backend application to protect your API endpoints with the key for your Auth0 application, API identifier and API scopes. In this example, you can use the user's Access Token issued by Auth0 to call your own APIs.

Use Auth0 for FREE