u/Brinner17

▲ 5 r/django

How should I authenticate Auth0 users in a Django REST Framework API called by an MCP server?

Hi everyone,

I’m building a Django REST Framework API and I need help understanding the correct way to authenticate users and return only their own data.

My setup is:

  • Auth0 for authentication
  • Django REST Framework as the backend API
  • An MCP server that will call the Django API
  • The MCP server will send requests to Django with a bearer token, like:

​

Authorization: Bearer <token>

What I want is:

  • The Django API should verify that the token is valid
  • The API should know which user the token belongs to
  • The API should only return data belonging to that user

For example, if I have a Note model with an owner, I want something like this to be safe:

Note.objects.filter(owner=request.user)

But I’m not sure how to correctly set this up.

My questions are:

  1. How should Django REST Framework validate the Auth0 token?
  2. Should I write a custom authentication class for this?
  3. How does Django turn the token into request.user?
  4. Should I create local Django users based on the Auth0 user ID?
  5. How should the MCP server get and pass the token to Django?
  6. What is the right OAuth/Auth0 flow if the data belongs to individual users?
  7. What is the safest standard way to make sure each user can only access their own data?

I understand basic Django and Python, but I’m new to authentication, JWTs, Auth0, and OAuth, so I’d really appreciate a step-by-step explanation or recommended pattern or resource to learn this.

Thanks.

reddit.com
u/Brinner17 — 7 days ago