Do you need to use the Authorization Extension with the Core Authorization Library

You will only need to authorize your regular web application in the machine to machine section if you intend for that application to obtain access tokens for the API using a client credentials flow (Client Credentials Flow).

If you check that page you’ll see the flow does NOT involve any user credentials; only client credentials (client id and secret). In this client credentials flow the issued access count will count towards the quota for M2M because it’s an access token issued for the client application credentials.

If your regular web application is authenticating users and as part of that authentication it requests an access token for the custom API then:

  • you don’t need to authorize the application in that section.
  • the issued access token is related to an end-user and as such won’t count for M2M quota.