Hi @n8rose1
Welcome to the Auth0 security!
Regarding your setup, yes, that would be the correct approach. It is intended to have a M2M application which is authorized to handle such transactions between your application (SDK) and Auth0’s Management API. That way, unauthorized applications will not be able to request a token directly from Auth0. Basically, your API would be acting as a secure middleman between these transactions.
Otherwise, if you do not mind me asking, what would be the reason of building your own SDK? By using an official Auth0 SDK, the token management would be able to handle it for them.
Sharing the same token information (secret and id) to multiple applications would present multiple risks, such as unauthorized users or applications being able to use them. My personal advise would be to consider the first approach where each instance of the SDK would provide unique tokens which you would be able to track using a record. However, this can rise the risk of hitting rate limits for the Management API. It can be quite difficult to provide a suitable reccomandation without knowing the implementation details of the SDK. For that matter, I would highly recommend to review the following documentation:
As you have mentioned, if you can provide more details about the implementation, how it is being used or sharing the code via a DM, that would be great!
If you have any other questions on the matter, let me know!
Kind Regards,
Nik