Authenticate third-party apps


I am pretty much new to Auth0. I am building an API in nest.js that is secured by Auth0. So if a user has a valid access token, it can access the API.

I need to expose the API to third-party applications, which will have a sort of API key to access my API.
I tried machine-2-machine authentication. So far, I am not able to achieve what I need.

Here’s what I’ve done:

  1. Created a “Machine to Machine” application.
  2. Granted it the permission to Auth0 API.
  3. I can retrieve an access token

Now, I don’t know how can I get the application name in the JWT token.

Overall, I can manage permissions to each application dedicated to third-party applications but in my API, I need to check the clien’ts name for further validation.

What I’m trying to achieve:

  1. Secure my API with Auth0
  2. Expose my API to third-party clients with API keys
  3. Get the client’s detail on my API server to check to whom the token belongs to

Is it doable with Auth0? Or If there is something wrong with my authentication approach.


Hello @kvirk welcome to the community!

While not “officially” supported (see this feedback request) - You’re on the right track in terms of what you can achieve with Auth0.

I assume you mean the associated third party app in this case? If so, you might want to look into using an M2M flow action in order to add a custom claim. Taking advantage of app_metadata could work in this use case.

Hope this helps!

I think that’s what I want, but can you please guide me to the documentation where the steps to get the app_metadata in access_token JWT is written?


I have gone through the document at (Machine to Machine Flow)

I have created an action for my machine-to-machine application, the code is as follows

exports.onExecuteCredentialsExchange = async (event, api) => {
  console.log("=== onExecuteCredentialsExchange ===");
  console.log("Event", event.client, event.client_metadata);
  console.log("API", api);
  console.log("=== end: onExecuteCredentialsExchange ===")

But, event.client is undefined whereas I have defined application metadata in my application whose client_id and client_secret I’m using to get access token. Here is the screenshot of how I have defined it under “Application > My Demo Application > Advanced Settings : Application Metadata”

Can you please guide me on what I’m doing wrong here?


Hey @kvirk I apologize for the delayed response here!

Were you ever able to get this sorted?

You’ll need to refactor your Action code to add a custom claim to the access token. A super simple example looks like:

exports.onExecuteCredentialsExchange = async (event, api) => {
  api.accessToken.setCustomClaim("", event.client.metadata);  

Hope this helps!


I don’t know but actions didn’t work for me, event.client was undefined even though the client has metadata please refer to my last comment. Anyways, I used hooks and got the client metadata. Here is the code snippet:

module.exports = function(client, scope, audience, context, cb) {
  var access_token = {};
  access_token.scope = scope;
  access_token["client_info"] = client;
  cb(null, access_token);


Thanks for confirming @kvirk and for sharing the code - Good to know you got it working! :muscle:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.