API security for external calling systems

I am using Auth0 in a Springboot application, in which machine to machine is used. The resource server is secured by putting corresponding auth0 client id and secret code. The caller, will just need client id and secret code to access the endpoints.
When this application is hosted in the cloud, AWS for example, I want to have different calling applications from outside to call it but I think I should not distribute the same client id and secret code for all callers and use a field in the request, for example tenant id, to secure the endpoints.
The application is not call by real human. How should I setup in Auth0 and/or in my SpringBoot app for this case?