Application A (not m2m):
- Application type: regular web application
- Allow CORS: on
- Refresh token rotation and expiration: off
- Credentials: client secret (post)
Application B (m2m):
- Same as above for all
- APIs: urn:auth0-authz-api (identifier) (has full permissions: groups, roles, users, etc)