Protect your API
SDKs and APIs
Give others access to your API
Although we do not currently have a dedicated feature for it, there is a way to provide your users with programmatic access to your API and applications via Kinde.
You need to register your API with Kinde before you begin.
Here’s the process:
- Create a machine to machine (M2M) application
- Connect the application to your API
- Provide access to the user via token or app keys
Create a M2M application
Link to this sectionYou will want to create a separate M2M application for each user, system, or business who needs to access your API. It is not secure to share access via the same tokens or app keys.
- Go to Settings > Applications.
- Select Add Application.
- In the dialog that opens, give the application a name, and select Machine to Machine as the Application type.
- Select Save. App keys - including Domain details, Client ID and Client Secret - are issued for the application.
Connect the API to the application
Link to this section- In the application list, find the M2M app you created and select View details.
- Select APIs in the menu. A list of all available APIs shows.
- Switch on the APIs you want to connect to the application. Be very careful you select the intended API and not Kinde’s API.
- Select Save.
If you need to cut off access to your API for a user, you can switch off the connection any time.
Provide access to third parties
Link to this sectionThere are two ways you can provide access to your API: via token or app keys.
Via token
Link to this sectionThe third party can request a token using the relevant audience in the claim, for example:
POST https://yourbusiness.kinde.com/oauth2/token{ "client_id": "XXX", "client_secret": "XXX", "grant_type": "client_credentials", "audience": "http://api.example.com/api"}Granting access this way means you don’t have to share the Client ID and Secret with anyone.
Via app keys
Link to this sectionCopy the app keys: Domain, Client ID, and Client secret from the M2M application and provide them to the third-party. This enables them access to the end point, e.g. http://api.example.com/api. Providing app keys authorizes access unless the Client secret is rotated or revoked.