Securing an API end point

So if my org has multiple users and multiple machine-to-machine apps. How can we only let a few in without hard coding username’s?

Being machine-to-machine apps can be added to groups, I was hoping to use that but a Developer Support Engineer so far has been unable to get this to work for me, case: 00807774? How are others solving this problem?

Adding custom-groups didn’t work for me - How to get Application Groups instead of User Groups in my token?.

can you use access policy for the AuthZ server to enlist clients/groups to be allowed to obtain a token?

How could we have multiple end points on one web site with different requirements using Access Policies?

it depends, if they use the same of different authZ server in Okta. AuthZ server doesn’t care about your endpoints, but rather about apps, groups, scopes…

Sorry, can’t be more specific, as your question is also quite general. If you give a more concrete example/use case, I might be able to provide more detailed answer.

1 Like

My understanding is a core app can only be connected to one auth server at a time in Startup.cs. So the end points would only allow access to tokens issued by a hard coded auth server even though they are connected to another auth server? That may work, I assumed everything had to be from the same auth server.