Confused about how authentication works in 8base

I’ve successfully “logged in” with callback URL through the auth0.js client, but where/how do I use the access token? Do you pass the user access token in the request header like you do for API tokens?

So far I’ve just been using an API token to prototype because it’s easy. Even if I use 8base auth, I’d still like to understand how it works. Auth in general is very confusing.

1 Like

@mike_ekim1024 hello!

You’re right. A Id token from auth0 should passed into Authentication header like as an API token.

Hey @mike_ekim1024! I’ve been working on a graph to show auth. I attached it here. Can you help me make it better?

Does it help explain anything?
Would it have helped you understand the auth flow had you had it originally?

Yes, that does help a bit Sebastian. I think the key is using idToken vs accessToken, and now it’s clear how 8base interacts with auth0 and the client. A few more questions though: the difference between authentication with redirect, and being able to put the login form on your own page (which it sounds like is in the diagram), and using social sign-on vs email/passord.

I think I’m getting somewhere now. My queries are returning data now that I send Bearer idToken. I needed to add “id_token” to responseType, and use idToken instead of accessToken. I don’t know what the difference is. I know you have an auth library, but I really want to understand how it works, or else it just feels like magic.

As an amateur magician I’m offended by your derogatory mention of magic and… joking!

Do you think this graph should be updated to show those different flows? Or that another graph would help you “dive deeper”.

Essentially, all scenarios are working similarly. If you use email/password mutation, it goes to the auth-provider and an idToken is returned. If you use a hosted login page, you’re on a secure login page that communicates with the auth provider and redirects you back to your application with the access token specified in the URL fragment.

When using a social sign on provider, the same thing is happening. It’s a hosted login page where the sign on provider will redirect the user back to the application with a url fragment containing the idToken.

What’s probably confusing is the differences between 8base Authentication Profiles, Auth Providers, and Single-Sign-On.

Authentication profiles are how 8base allows you to create different authentication settings. For example, on Authentication Profile A you may allow users open-to-all/self-sign up and get the “Guest” role, whereas on Authentication Profile B you might only allow users with an "" email domain and assign them an “Employee” role.

Auth Providers securely store user’s authentication credentials and issue idTokens upon authentication that can be verified when used. Certain ones (like Auth0) make it really easy to connect social-logins.

Single Sign-on/Social Logins lets users use existing login information from a provider like Facebook, GitHub or Google so the user can sign into a third-party website instead of creating a new account (username/password) specifically for that website. This just simplifies registrations and logins for end users. An 8base Authentication Profile can have multiple single sign-on methods configured, allowing users to sign up using one of their existing social accounts OR email/password.

An accessToken (on Auth0) is non-user specific – just like an 8base API token – and commonly used to authenticate machine to machine communication, whereas the idToken is associated with an individual authenticated user. In regards to 8base, generating and API Token is the equivalent of using an accessToken, therefore we wouldn’t support an accessToken.


This is good stuff! Maybe represent email/social as 1.a and 1.b? They aren’t that different, but do use different API. The isometric does look cool, but a little hard to read without tilting your head :slight_smile:

So for every request, 8base contacts auth0? Is there any caching that happens, or any predictive fetching so that the auth and data can be fetched in parallel? For production, I’ll be researching latency, security, and that kind of stuff.

1 Like