Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple apis tokens #8382

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Multiple apis tokens #8382

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0273e0b
Start on doc
Oct 17, 2019
e3a773c
Start doc for multiple APIs
Oct 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions articles/tokens/guides/access-token/get-access-tokens-for-multiple-apis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
title: Get Access Tokens for Multiple APIs
description: Learn how to get Access Tokens for multiple APIs.
topics:
- tokens
- access-tokens
- apis
contentType:
- how-to
useCase:
- invoke-api
---
# Get Access Tokens for Multiple APIs

There are times when you may need to obtain more than one access token, to be able to call more than one API. You will need a way to differentiate between these tokens and calls.

## Single-Page Applications

In SPAs you can use the [Auth0 SPA SDK](/libraries/auth0-spa-js) and can trigger Silent Authentication with the audience for the new token. The [Get Access Token for a different audience](/libraries/auth0-spa-js#get-access-token-for-a-different-audience) example shows how to do this using the SDK's `getTokenSilently()` method.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we explain how to do it with auth0.js?

## Applications with a Backend

In backend apps, you need to redirect to `/authorize` once per API, using `prompt=none&audience=YourAudience`. To know which token you need to call for each API you need to use the `state` parameter as way to correlate requests and responses.

```js
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's clarify this example is for Node JS + Express

// First state + audience stored
const state0 = uniq_id();
req.session.states[0] = { state: state0, audience: 'YourAudience0' }

// Second state + audience stored
const state1 = uniq_id();
req.session.states[1] = { state: state1, audience: 'YourAudience1' }
```

Then, you need to make an authorize call, using the appropriate SDK method if you are using one, or just a regular GET request, with these values included:

```
auth0.authorize({..., state: req.session.states[0].state, audience: req.session.states[0].audience }
```

In this manner, you can be certain of which API to call for what purpose, and which returned response is from which API. Checking the state in the response and then comparing it to your stored states will tell you the audience that it was paired with, which will tell you the API that it is responding from.

## Read more
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also add a section for Native Apps, which also implies going through authorize for each token


* [Access Tokens](/tokens/access-token)
* [Use an Access Token](/tokens/guides/access-token/use-access-tokens)
* [Validate an Access Token](/tokens/guides/access-token/validate-access-token)
* [JSON Web Token](/jwt)
* [JSON Web Token Claims](/tokens/jwt-claims)
* [Token Best Practices](/tokens/concepts/token-best-practices)
* [Quickstarts](/quickstarts)
* [Authentication and Authorization Flows](/flows)