FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. Tags
    3. authentication
    Log in to post
    • All categories
    • W

      Solved Best Practices for Securing Partner APIs with FusionAuth

      Frequently Asked Questions (FAQ)
      • login authentication • • wesley
      2
      0
      Votes
      2
      Posts
      539
      Views

      W

      Yes—using FusionAuth access tokens to secure partner-facing APIs is a solid approach. The key is ensuring the tokens contain the right claims to enforce proper authorization for your endpoints.

      Separating partners into a different tenant or application can improve security and simplify management. Different tenants fully isolate users and tokens, but would require duplicating application configs. Alternatively, you could keep partners in the same tenant and distinguish them via roles, claims, or separate applications.

      If partners are accessing APIs server-to-server, the client credentials grant (Entities in FusionAuth) is the correct choice. Be sure to carefully scope each partner’s access to avoid over-permissioning.

      More on these topics:

      API Authorization with FusionAuth Tenants Overview JWT Anatomy Authorization Models
    • W

      Solved Maintaining OAuth/PKCE Flow During Email Verification in FusionAuth Mobile Apps

      Frequently Asked Questions (FAQ)
      • login authentication • • wesley
      2
      0
      Votes
      2
      Posts
      503
      Views

      W

      Good question—it’s a common challenge.

      By default, the email verification flow breaks the OAuth/PKCE context because the user leaves the registration page to check their email and clicks a verification link. FusionAuth can’t continue the OAuth flow automatically from that email link, which is why your hard-coded redirect URI fails without the required OAuth code.

      A better solution is to switch your email verification strategy from Clickable Link to Form Field (under Tenant → Email → Email Verification → Verification Strategy). With this approach, users stay on the original registration page, enter the verification code from their email, and the OAuth/PKCE flow remains intact—including the authorization code. This enables seamless redirecting back into your app after verification.

      If you’re creating and registering users for an application at the same time, remember to also check the app-level registration verification settings under:
      FusionAuth Admin UI → Applications → Edit Application → Registration tab.

      More details are in the docs: Registration Email Verification

    • danD

      Additional resources for identity

      Q&A
      • authentication authorization resources • • dan
      2
      0
      Votes
      2
      Posts
      928
      Views

      danD

      I have enjoyed these books:

      https://www.manning.com/books/oauth-2-in-action very specific to OAuth, lots of code)

      https://www.apress.com/gp/book/9781484250945 More focused on bigger identity strategies and problems.

      Also, the IDPro body of knowledge is free and useful:

      https://idpro.org/body-of-knowledge/

    • M

      Authentication for an Application with Web Client and Mobile front-ends

      Q&A
      • web client mobile authentication • • mehamm
      10
      0
      Votes
      10
      Posts
      13.2k
      Views

      danD

      @mehamm

      I am working on a multi tenant guide. Thank you very much for your feedback; I'll make sure to include it.

      As you continue to build out your multi tenant application, please continue to post on the forum about your progress and/or any other questions. 🙂

      We often hear our multi tenant support is a differentiator for FusionAuth, and would love to make it easy/clearer for everyone.