How to implement concurrent access to API user and mobile apps?
I need the API to connect to a mobile app that will serve the CRM system with the apron on React.
The user logs into the CRM is implemented using Auth0 JWT. The user went, gets to the main page, the view which allowed for all logged-on users, regardless of access rights. If the user has permissions, he can continue to surf the CRM if not, then not. It's all clear. What if there is an application, administrative, available only to a specific circle of persons. it is Necessary that it turned to API and had access to everything, how it is implemented, creates a role with all rights, which is called, for example, app. But in this case with authentication? If user throws to the login page, what application? It's always the same, it is one. You need to explicitly give it permission to access without authentication, without problems, even without the JWT... Or not possible? What is the mechanism of entry for API access for my app?
And what's the problem?
You have, according to the text, already have a division of users into roles, and depending on the roles available to the user specific functionality in the application
Add a new role which will have access to everything. Accordingly, if you log in to the administrative application for user with "admin" - info should be in the API, under the user without rights - will generate an error.
The idea is no matter what you have the app (public/nonpublic), you have all the logic should be implemented in the API, and the app will only "draw" what arrives from the API.
If the problem something else – specify the question more clearly