Problem statement
When a valid Client ID and Client Secret are presented towards the token endpoint but an error happens during the client-exchange trigger (Machine to Machine Flow of Auth Actions), does this request count as one in the quota? In other words, if we call api.access.deny() during the Action, would the request be counted as one in the Quota Utilization?
Solution
Machine-to-machine auth represented in Quota Utilization is the number of access tokens issued by Auth0 for the client credentials grant (Client Credentials Flow) per calendar month, per tenant. Tokens issued for Auth0 Management API or other Auth0 built-in APIs are not counted.
As specified in this documentation: Machine to Machine Flow, the credentials-exchange trigger is a function executed before the access token is returned.
This means that using this specific trigger, the Action will execute before the access token is returned. So if you call api.access.deny() in the Action, no access token will be returned, and no M2M Utilization will happen, so it will not count towards the M2M tokens quota.
Nevertheless, you can make a simple test of such action in which the trigger onExecuteCredentialsExchange will end up calling api.access.deny() function and see if in tenant logs you see any log with the type of Seccft, which is Successful exchange of Access Token for a Client Credentials Grant (based on the above information, if api.access.deny() will be called using this specific trigger, no Seccft type of log should happen; therefore, no M2M utilization will be counted either).