Thank you @nik.baleca !
The SDK will be to interact with my backend services (requesting resources, uploading resources, etc). It’s not an SDK to interact with Auth0, but to interact with my own servers. It uses an Auth0 SDK for authentication under the hood, and then sends that M2M token received from Auth0 in all requests to my backend.
I guess what I’m most confused about is whether I should have my SDK request M2M tokens from Auth0 directly or to request tokens from my backend API (which will then request tokens from Auth0). I would share unique token information (secret and id) for each application so that I can reduce risk and track use as you were saying. What I don’t understand is if I should store the M2M token for that secret and id in my backend and reuse that token until it expires. So when the SDK makes a request for a new token, it would request my backend for a token. The backend would then check if the token it has stored for that id and secret is expired. If not, it sends that token to the SDK. If it is, it requests a new token from Auth0, stores it, and sends that new token. Basically, 2 different apps would authenticate my SDK using different id and secret. But then each mobile device running App A would receive the same M2M token, and each device running App B would receive the same M2M token, but the tokens for App A and App B are different.
Are there any security concerns with this? Or is this ok because the SDK per app is essentially one client (even if downloaded on multiple devices)?