Auth0 Home Blog Docs

Access Token for programmatic API Access


#1

I want to give my users one or more tokens that they can use in their scripts to access my API. These scripts would run as part of an automated process, so they should not expire (at least not in a short period of time). They should be revokable. Something like AWS provides for AIM accounts, or the Auth0 ClientSecret.

It would be great if I didn’t have to store these tokens in my DB, so I’m trying out how to do this with Auth0 (or even if this scenario is supported). I’ve successfully setup interactive login, as well as issuance of new tokens using silent authentication.

However I can’t figure out how to change the expiration time of the token on demand (ie the user specifies validity length) and then also how to revoke that token once issued. I’ve been reading through the docs, and it only ever seems to mention interactive sessions, or application to application access (without a user context).


#2

Auth0 only allows this when using the Client Credentials grant. Basically, the users get a Client ID and Client Secret, like every other app connected to Auth0. The app can then exchange those two for an access token and that token is valid for your API.

Keep in mind that doing machine to machine auth like that requires you to purchase an add-on to your subscription.

If you want to know more about why Auth0 promotes this way of working, check out this page on the docs.