> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Application Implementation for the Server + API architecture scenario

# Application Implementation (Server Apps + API)

In this section of the tutorial, we will take an in-depth look into our API and its associated Machine-to-Machine Application. To start at the beginning, read [Server Applications with API](/docs/get-started/architecture-scenarios/server-application-api).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  For simplicity, we will keep our implementation solely focused on authentication and authorization. As you will see in the samples, the input timesheet entry will be hard-coded, and the API will not persist the timesheet entry. Instead, it will simply echo back some of the info.
</Callout>

## Define the API endpoints

An **API endpoint** is a static URI that represents a resource (collection of data).

For example, a restaurant API might have endpoints such as `/orders` and `/customers`. An application that connects to this API can perform CRUD (create, read, update, delete) operations by calling an API endpoint with the associated HTTP method (`POST`, `GET`, `PUT`, `PATCH`, or `DELETE`).

For ExampleCo's Timesheets API, you will need to configure an endpoint to create timesheet entries.

| HTTP method | API endpoint         | Description                   |
| ----------- | -------------------- | ----------------------------- |
| `POST`      | `/timesheets/upload` | Creates a new timesheet entry |

```json lines theme={null}
{
  'user_id': '007',
  'date': '2017-05-10T17:40:20.095Z',
  'project': 'StoreZero',
  'hours': 5
}
```

If the API processes the request successfully, it sends a response with an `HTTP 201 Created` status code and the body containing a JSON object with a message property that describes the newly-created timesheet:

```json lines theme={null}
{
"message": "Created timesheet 14 for employee 007."
}
```

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  See the implementation in [Node.js](/docs/get-started/architecture-scenarios/server-application-api/api-implementation-nodejs#1-define-the-api-endpoint).
</Callout>

### Secure the API endpoints

To secure your API endpoint(s), you need to implement a middleware function within your API application to handle tokens. This function checks if a token was included with the API request, validates the token, and then confirms if the scope(s) required to perform the requested action are present.

If all criteria are satisfied, the API application responds with the message mentioned previously. If there are any issues with the provided <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> (or it’s not provided at all), the API application sends a response with the `HTTP 401 Unauthorized` status code.

**See the implementation in** [**Node.js**](/docs/get-started/architecture-scenarios/server-application-api/api-implementation-nodejs#2-secure-the-api-endpoint)**.**

#### Get an access token

To get an access token without using our application sample implementation, call the Auth0 Authentication API's [Get Token](https://auth0.com/docs/api/authentication#get-token54) endpoint with the following payload:

```json lines theme={null}
{
  audience: "{yourApiIdentifier}",
  grant_type: "client_credentials",
  client_id: "${account.client_id}",
  client_secret: "${account.client_secret}"
}
```

## Check the application permissions

Now we have secured our API's endpoint with an access token, but we still haven't ensured that the process calling the API has the rights to post a new timesheet entry.

As discussed earlier, each access token may include a list of the permissions that have been granted to the application. These permissions are defined using the `scope` request parameter. To learn how to configure this, see the [Configure the Scopes](/docs/get-started/architecture-scenarios/server-application-api/part-3#configure-the-scopes) paragraph.

For our endpoint, we will require the scope `batch:upload`.

**See the implementation in** [**Node.js**](/docs/get-started/architecture-scenarios/server-application-api/api-implementation-nodejs#3-check-the-client-permissions)**.**

### Implement the Machine-to-Machine Application

In this section, we will see how we can implement a Machine-to-Machine Application for our scenario.

### Get an access token

We will start by invoking the Auth0 `/oauth/token` API endpoint to get an access token.

To do so, we will need the following configuration values you can find in your [application settings](https://manage.auth0.com/#/applications):

* **Domain**: Auth0 Domain and also your tenant identifier. This value will be a part of the API URL: `https://{yourTenant}/oauth/token`.
* **<Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=Audience">Audience</Tooltip>**: API identifier.
* **<Tooltip tip="Client ID: Identification value given to your registered resource from Auth0." cta="View Glossary" href="/docs/glossary?term=Client+ID">Client ID</Tooltip>**: Auth0 Application's Client ID.
* **<Tooltip tip="Client Secret: Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable." cta="View Glossary" href="/docs/glossary?term=Client+Secret">Client Secret</Tooltip>**: Auth0 application's Client Secret.

Our implementation should perform a `POST` operation to the `https://{yourDomain}/oauth/token` endpoint with a payload in the following format:

```json lines theme={null}
{
  "audience": "{yourApiIdentifier}",
  "grant_type": "client_credentials",
  "client_id": "${account.client_id}",
  "client_secret": "${account.client_secret}"
}
```

To learn more, see [Call Your API Using the Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow/call-your-api-using-the-client-credentials-flow).

**See the implementation in** [**Python**](/docs/get-started/architecture-scenarios/server-application-api/cron-implementation-python#get-an-access-token).

## Invoke the API

Now that we have an access token that includes the valid scopes, we can invoke our API.

To do so, we will:

* Build a hard-coded timesheet entry in JSON format.
* Add the access token as an `Authorization` header to our request.
* Make the HTTP `POST` request.
* Parse the response, and print it in the terminal (optional).

**See the implementation in** [**Python**](/docs/get-started/architecture-scenarios/server-application-api/cron-implementation-python#invoke-the-api).