Client Credentials Flow for api acces


We implemented passwordless authentication for our web application.
However we also need grant access to our API to users that are only interested in the data returned by the API.

What’s the recommended flow? We could use “Client Credentials Flow”, but how to track which user is doing the requests via the provided access token? Could the access token have a long lived life? Let’s say more than one months?

I guess we should create Applications programmatically (Auth0 Management API v2) but how we assign or authorize programmatically them in our Custom API (Machine to Machine Section)?

Would require a Grant to the created client? Auth0 Management API v2

Regards, Flavio

Hi @ollivera,

Thanks for reaching out to the Auth0 Community!

The Client Credentials Flow works, but it does not have any user interaction. Instead, I recommend you to continue using the Authorization Code flow with Passwordless and specifying the audience query parameter in the request. In doing so, you can call your API for those users.

Please see the Call Your API Using the Authorization Code Flow documentation to learn more.

If you need any help with the implementation or have any further questions, please feel free to reach out.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.