API Services - machine-to-machine authentication - multiple client secrets needed

I want to issue a unique client secret to each user in my Auth0 IdP (likely hundreds) so that they can call POST /oauth/token to get a bearer token to then call my application API’s. There appears to be a restriction on the number of applications you can create per tenant (even on the enterprise version) so creating a unique app per user does not seem feasible.

The business problem we are trying to solve is having hundreds of 3rd party integrators calling our internal API’s. They will signup on a SPA (Single Page App) to create an “integrators” account on Auth0. I then want to issue each user/integrator with a unique client secret so that they can call our internal API using a bearer token issued by Auth0. I am trying to prevent sharing the same client secret between all the users/integrators. Out internal systems manage the authorisation (i.e. can this user call this api for this internal customer) - we want to user Auth0 to manage the authentication of the user making the API call.

1 Like

Hello there @simon.laver and welcome to the community!

Your use case makes total sense to me - Unfortunately, Auth0 does not currently support API Keys outside of the context of client credentials grants/exchanges so the limitations you’ve mentioned do apply. I recommend upvoting the feedback request in the following FAQ:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.