FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Best Practices for Securing Partner APIs with FusionAuth

    Scheduled Pinned Locked Moved
    Frequently Asked Questions (FAQ)
    login authentication
    1
    2
    4
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We use FusionAuth for user authentication on our website and plan to expose certain API endpoints to external partners. Our idea is to have partners authenticate via FusionAuth and then use the access token (JWT) to call our secured APIs.

      Is this the recommended way to secure partner APIs with FusionAuth? Should we separate partner users into a different tenant or application for better isolation? And if partners need server-to-server access, is the client credentials grant the right approach?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Yes—using FusionAuth access tokens to secure partner-facing APIs is a solid approach. The key is ensuring the tokens contain the right claims to enforce proper authorization for your endpoints.

        Separating partners into a different tenant or application can improve security and simplify management. Different tenants fully isolate users and tokens, but would require duplicating application configs. Alternatively, you could keep partners in the same tenant and distinguish them via roles, claims, or separate applications.

        If partners are accessing APIs server-to-server, the client credentials grant (Entities in FusionAuth) is the correct choice. Be sure to carefully scope each partner’s access to avoid over-permissioning.

        More on these topics:

        • API Authorization with FusionAuth
        • Tenants Overview
        • JWT Anatomy
        • Authorization Models
        1 Reply Last reply Reply Quote 0
        • First post
          Last post