We implemented passwordless authentication for our web application.
However we also need grant access to our API to users that are only interested in the data returned by the API.
What’s the recommended flow? We could use “Client Credentials Flow”, but how to track which user is doing the requests via the provided access token? Could the access token have a long lived life? Let’s say more than one months?
I guess we should create Applications programmatically (Auth0 Management API v2) but how we assign or authorize programmatically them in our Custom API (Machine to Machine Section)?
Would require a Grant to the created client? Auth0 Management API v2