We implemented passwordless authentication for our web application.
However we also need grant access to our API to users that are only interested in the data returned by the API.
What’s the recommended flow? We could use “Client Credentials Flow”, but how to track which user is doing the requests via the provided access token? Could the access token have a long lived life? Let’s say more than one months?
I guess we should create Applications programmatically (Auth0 Management API v2) but how we assign or authorize programmatically them in our Custom API (Machine to Machine Section)?
The Client Credentials Flow works, but it does not have any user interaction. Instead, I recommend you to continue using the Authorization Code flow with Passwordless and specifying the audience query parameter in the request. In doing so, you can call your API for those users.