> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Auth0 Configuration for the Server + API architecture scenario

# Auth0 Configuration (Server Apps + API)

In this section, we will review ExampleCo's configurations using the [Auth0 Dashboard](https://manage.auth0.com/#).

## Configure the API

To protect an API, you must register an API using the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>. Follow instructions on [Register APIs](/docs/get-started/auth0-overview/set-up-apis) to configure the Timesheets API.

### JSON Web Token Profile

<Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=OAuth+2.0">OAuth 2.0</Tooltip> defines the type of profiles, or dialects, for an <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip>. Auth0 supports two different profiles:

* Auth0 token profile
* RFC 9068 profile

The default is the Auth0 profile. The main difference between these two profiles is the difference in claim names. The Auth0 profile uses `azp` rather than `client_id`. You can learn more about the differences by reading [Access Token Profiles](/docs/secure/tokens/access-tokens/access-token-profiles).

### Signing Algorithms

When you create an API, you must select the algorithm with which your tokens will be signed. The signature is used to verify that the sender of the <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> is who it says it is and to ensure that the message hasn't been changed along the way.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The signature is part of a JWT. If you are unfamiliar with JWT structure, please see [JSON Web Token Structure](/docs/secure/tokens/json-web-tokens/json-web-token-structure).
</Callout>

To create the signature, you must take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. That algorithm, which is part of the JWT header, is the one you select for your API: `HS256,` `RS256,` or `PS256`.

The most secure practice, and our recommendation, is to use **RS256**. Some of the reasons are:

* With RS256, you are sure that only the holder of the private key (Auth0) can sign tokens, while anyone can check if the token is valid using the public key.
* Under HS256, if the private key is compromised you would have to re-deploy the API with the new secret. With RS256, you can request a token that is valid for multiple audiences.
* With RS256, you can implement key rotation without having to re-deploy the API with the new secret.

## Configure the Scopes

In the settings for your API, you will need to configure the Scopes that applications can request during authorization. Navigate to the Permissions tab.

In this section, you can add all four of the scopes discussed before: `batch:upload`, `read:timesheets`, `create:timesheets`, `delete:timesheets`, and `approve:timesheets`. Also add an additional scope: `batch:upload`.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  For the purpose of this document, we will only be concerned with the `batch:upload` scope because that is all that is required by the cron job. However, for the sake of completeness, we are adding the necessary scopes which will be required by future applications.
</Callout>

<Frame>
  <img src="https://mintcdn.com/docs-dev-actions-triggers-prototype/4MaQENhfcY-1egb6/docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png?fit=max&auto=format&n=4MaQENhfcY-1egb6&q=85&s=aa3c26129e20c2e04e66158d4156da2c" alt="Dashboard > APIs > Permissions" data-og-width="1052" width="1052" data-og-height="916" height="916" data-path="docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-actions-triggers-prototype/4MaQENhfcY-1egb6/docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png?w=280&fit=max&auto=format&n=4MaQENhfcY-1egb6&q=85&s=e627117ae8154d977b20515ac39fe7fb 280w, https://mintcdn.com/docs-dev-actions-triggers-prototype/4MaQENhfcY-1egb6/docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png?w=560&fit=max&auto=format&n=4MaQENhfcY-1egb6&q=85&s=3a19aa03a7eadf297ae1483edcb408b7 560w, https://mintcdn.com/docs-dev-actions-triggers-prototype/4MaQENhfcY-1egb6/docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png?w=840&fit=max&auto=format&n=4MaQENhfcY-1egb6&q=85&s=28255fe61e989fd75d287705f1924cfe 840w, https://mintcdn.com/docs-dev-actions-triggers-prototype/4MaQENhfcY-1egb6/docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png?w=1100&fit=max&auto=format&n=4MaQENhfcY-1egb6&q=85&s=7c565015bdf19e10d78d4a2d26c129c5 1100w, https://mintcdn.com/docs-dev-actions-triggers-prototype/4MaQENhfcY-1egb6/docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png?w=1650&fit=max&auto=format&n=4MaQENhfcY-1egb6&q=85&s=6c380cec5ccfe955fb15d9c5525b7e28 1650w, https://mintcdn.com/docs-dev-actions-triggers-prototype/4MaQENhfcY-1egb6/docs/images/cdy7uua7fh8z/73FeuGyODcu3q7PKjLaQOO/63d8d20e9249e751152b4530005f4c71/Timesheets_API_-_Permissions_-_English.png?w=2500&fit=max&auto=format&n=4MaQENhfcY-1egb6&q=85&s=0eff306da4f1247cd105fd87d361d857 2500w" />
</Frame>

## Create the Application

When creating an API in the Auth0 Dashboard, a test application for the API will automatically be generated. In the Auth0 Dashboard, navigate to the [Application Section](https://manage.auth0.com/#/applications), and you will see the test application for the Timesheets API.

<Frame>
  <img src="https://mintcdn.com/docs-dev-actions-triggers-prototype/nRTYX19FsgfcTLla/docs/images/cdy7uua7fh8z/7lnuzFgs3IuWyL4bK5aVZV/05abca8035c011bf018b27e31f77a055/2024-06-28_17-13-34.png?fit=max&auto=format&n=nRTYX19FsgfcTLla&q=85&s=888f6a8fd10633fc3587b80af8b3da14" alt="undefined" width="1552" height="760" data-path="docs/images/cdy7uua7fh8z/7lnuzFgs3IuWyL4bK5aVZV/05abca8035c011bf018b27e31f77a055/2024-06-28_17-13-34.png" />
</Frame>

Go to the settings for the application by selecting the menu option at the end. Rename the application to `Timesheets Import Job`.

For the cron job, you will need a Machine-to-Machine Application. The test application that was generated when the API was created was automatically configured as a Machine-to-Machine Application.

## Configure Application's access to the API

Finally, you must allow the application access to the Timesheets API. Go back to the configuration of the API, and select the Machine to Machine Application tab.

You will see the **Timesheets Import Job** application listed, and it should have access to API as can be seen from the switch to the right of the application name which indicates a value of `Authorized`. If it does not indicate that the application is authorized, simply toggle the value of the switch from `Unauthorized` to `Authorized`.

You will also need to specify which scopes will be included in access tokens that are issued to the application when the application authorizes with Auth0.

Expand the settings for the application by clicking on the down arrow to the far right, and you will see the list of available scopes. The cron job will only require the `batch:upload` scope as it will simply create new timesheets based on the timesheet entries in the external system.

Once you have selected the `batch:upload` scope, save the settings by clicking the **Update** button.

<Frame>
  <img src="https://mintcdn.com/docs-dev-actions-triggers-prototype/I9SBuhVKpyu444Ha/docs/images/cdy7uua7fh8z/3PjvkTaoOZKWCMJol4ajCu/b5df50d1b78f95f5a2a8f82e6bb39e42/2025-02-26_18-58-47.png?fit=max&auto=format&n=I9SBuhVKpyu444Ha&q=85&s=b76aa06aa8eaa2d483788973637d932d" alt="Dashboard - Applications - APIs - Machine to Machine Applications - Authorize" width="898" height="1274" data-path="docs/images/cdy7uua7fh8z/3PjvkTaoOZKWCMJol4ajCu/b5df50d1b78f95f5a2a8f82e6bb39e42/2025-02-26_18-58-47.png" />
</Frame>

Now that we have designed our solution and discussed the configurations needed on Auth0's side, we can proceed with the implementation.