Client Credentials - machine to machine

[vincentcordel]

I use adonis as an API backend only.
I want to consume the api on multiple domains/subdomains using Vue (one app per domain)
Some routes should be public (unauthenticated user) and some private.

I'm a newbie so my excuses if it sounds obvious to you!

I can use access tokens guard to consume the API when a user is authenticated.
However I don't know how to consume the API for public routes (not logged in) while only restricting access to the API to the domains/subdomains.

I come from Laravel where I could use the passport package with client credentials grant tokens https://laravel.com/docs/11.x/passport#client-credentials-grant-tokens

But I don't know how to do it with Adonis (in addition to the access tokens guard).

Any help would be appreciated!

Thanks :)
Vincent

[thetutlage]

Since, both are the web clients, is it really a machine-to-machine communication? Because, whatever token you store in the browser can be taken by a user and the same could be used to issue requests from another clients as-well.

There are many similar discussion on the web related to this. For example: https://stackoverflow.com/questions/63180306/protect-a-public-api

The TLDR is:

• There is no bullet proof way to secure public endpoints.
• You can check for the request origin header. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin ( Can be bypassed easily )
• You can create a random cryptographically strong token and send it with every request. Since, this token will be stored on the frontend, anyone can copy/paste it to make requests from another client.
• Implement Rate limit to prevent abuse.