Some of your assumptions are going to be wrong. You need to validate your key hypotheses and assumptions as early as possible. When it comes to new products, by definition you’re making assumptions, sometimes a lot of them.And, in the remote case that you’ve been living under a rock and the whole lean startup movement somehow got past you, this post will try to bring you up to speed (and possibly, get you slightly ahead of the pack), provided you force yourself and your team to take action! In this post I will draw on what I’ve learned over the years, through first-hand experiences and other sources and leave you with a validation framework that I hope you’ll be able to use. In fact, it’s possibly one of the hardest things you will ever do in your product life cycle, otherwise products and startups wouldn’t have the abysmal 90%+ failure rate they’ve become famous for. However, validation is easier said than done. In this case, if an application requests access the /create endpoint, but the access token's scope claim does not include the value create:users, then the API should reject the request.As product managers and entrepreneurs, we know the importance of validating an idea before committing to getting it built. Read:users provides access to the /read endpointĭelete:users provides access to the /delete endpoint For example, if your custom API provides three endpoints to read, create, or delete a user record, when you registered your API with Auth0, you created three corresponding permissions:Ĭreate:users provides access to the /create endpoint It should match the permissions required for the endpoint being accessed. To do so, you will need to check the scope claim ( scope, space-separated list of strings) in the decoded JWT's payload. Verify that the application has been granted the permissions required to access your API. At least one of the audience values for the token must match the unique identifier of the target API as defined in your API's Settings in the Identifier field. The aud field could contain both an audience corresponding to your custom API and an audience corresponding to the /userinfo endpoint. The token audience claim ( aud, array of strings) depends on the initial token request. If you've performed the standard JWT validation, you have already decoded the JWT's payload and looked at its standard claims. See Validate JSON Web Tokens for details. Because the access token is a JWT, you need to perform the standard JWT validation steps.
If any of these checks fail, the token is considered invalid, and the request must be rejected with 401 Unauthorized result. See Identity Provider Access Tokens for details. You can pass it to the issuing IdP and the IdP takes care of the rest. If you receive an access token from an identity provider (IdP), in general, you don't need to validate it. Changes in Auth0 Management APIv2 TokensĪn access token is meant for an API and should be validated only by the API for which it was intended.Get Management API Access Tokens for Production.Get Management API Access Tokens for Testing.Get Management API Access Tokens for Single-Page Applications.