Best practices for integration testing APIs


Our APIs are protected by verifying the authenticity of an auth0 JWT token and then we use the permission claims for authorisation.

We have a suite of integration that runs 10s, maybe 100s of times per day. By design, our APIs are called by a mix of users and M2M applications and we want to imitate this as closely as we can in our integration testing.

Our ideal plan is to

  1. For user-focused APIs dynamically generate a user with the correct permissions using the management client
  2. For M2M APIs use an integration testing M2M application where we mint a new access token per test run

Our problem
When minting a new access token for our integration tests to hit our APIs, this contributes to our 1000 m2m tokens per month and we will breach this very quickly. Our build system is stately due to horizontal scaling so we cannot cache these tokens.

What are auth0’s best practices for creating access tokens for machine-to-machine designed API testing?