▲ 5 r/django
How should I authenticate Auth0 users in a Django REST Framework API called by an MCP server?
Hi everyone,
I’m building a Django REST Framework API and I need help understanding the correct way to authenticate users and return only their own data.
My setup is:
- Auth0 for authentication
- Django REST Framework as the backend API
- An MCP server that will call the Django API
- The MCP server will send requests to Django with a bearer token, like:
​
Authorization: Bearer <token>
What I want is:
- The Django API should verify that the token is valid
- The API should know which user the token belongs to
- The API should only return data belonging to that user
For example, if I have a Note model with an owner, I want something like this to be safe:
Note.objects.filter(owner=request.user)
But I’m not sure how to correctly set this up.
My questions are:
- How should Django REST Framework validate the Auth0 token?
- Should I write a custom authentication class for this?
- How does Django turn the token into
request.user? - Should I create local Django users based on the Auth0 user ID?
- How should the MCP server get and pass the token to Django?
- What is the right OAuth/Auth0 flow if the data belongs to individual users?
- What is the safest standard way to make sure each user can only access their own data?
I understand basic Django and Python, but I’m new to authentication, JWTs, Auth0, and OAuth, so I’d really appreciate a step-by-step explanation or recommended pattern or resource to learn this.
Thanks.
u/Brinner17 — 7 days ago