React: Calling an API
This tutorial demonstrates how to make API calls for protected resources on your server. We recommend you to Log in to follow this quickstart with examples configured for your account.
I want to integrate with my app15 minutes
I want to explore a sample app2 minutes
Get a sample configured with your account settings or check it out on Github.
Most single-page apps use resources from data APIs. You may want to restrict access to those resources, so that only authenticated users with sufficient privileges can access them. Auth0 lets you manage access to these resources using API Authorization.
This tutorial shows you how to access protected resources in your API.
Create an API
Add a Scope
By default, the Access Token does not contain any authorization information. To limit access to your resources based on authorization, you must use scopes. Read more about scopes in the scopes documentation.
In the Auth0 dashboard, in the APIs section, click Scopes. Add any scopes you need to limit access to your API resources.
Configure your Application
auth0.WebAuth instance, enter your API identifier as the value for
Add your scopes to the
Send Authenticated HTTP Requests
To give the authenticated user access to secured resources in your API, include the user's Access Token in the requests you send to your API. There are two common ways to do this.
- Store the Access Token in a cookie. The Access Token is then included in all requests.
Authorizationheader using the
Protect Your API Resources
To restrict access to the resources served by your API, check the incoming requests for valid authorization information. The authorization information is in the Access Token created for the user. To see if the token is valid, check it against the JSON Web Key Set (JWKS) for your Auth0 account. To learn more about validating Access Tokens, read the Verify Access Tokens tutorial.
In each language and framework, you verify the Access Token differently.
Typically, you use a middleware function to verify the token. If the token is valid, the request proceeds and the user gets access to resources in your API. If the token is invalid, the request is rejected with a
401 Unauthorized error.