Skip to content

Auth Management API


basebox uses an external OpenID Connect service to provide authorization and authentication services. For some tasks, applications based on basebox need access to the authentication provider's management API; this is what basebox' Auth Management API is for.

For example, when you create a new user for your application, a user record is created in the database managed by basebox and the user database managed by your auth provider service.
When a user wants to deregister from your application, you have to delete his/her data from the application database (which is managed by basebox) and the user database managed by your auth provider service (GDPR compliance). This is where basebox' Auth Management API comes into play.

basebox' Auth Management API is currently very limited, but we will add more functionality in the future.

Calls to basebox Auth Management API* are done via GraphQL.

Provider Support

Currently, only Auth0 is supported by basebox' Auth Management API. We will add support for other providers in the future (e.g. Keycloak).


basebox' Auth Management API is configured in the [auth_management] section of the broker configuration file; the configuration is provider specific. Follow the provider specific links below for details.


See API for details.


Currently basebox supports Operation Level Security, meaning that, if a user would like to call any GraphQL operation, the user would first need permissions to access this operation; these permissions need to be in the access token in an array structure called Permissions. Each operation needs to have the format allow::bb::operation::<operationName> as strings in the Permissions array. This can be added quite easily to an IdP like Auth0. Auth0 has a built in Permissions structure where the operations, in the correct format, can be added. The Permissions tab can be found in Auth0 under the API that you have setup for the service.

Please refer to the Operation Level Security section of the Guide for more information on setting up Auth0 and KeyCloak permissions.