Hi,
We currently have a backend service that talks to another backend service with secure APIs. From our understanding of the docs, this is exactly what M2M tokens are meant for which use the client-credentials flow.
However, we’re a bit at a loss on how to best handle the renewal of such tokens when they expire.
We CANNOT use refresh tokens because they are not obtainable in the client-credentials flow, so what’s the best approach then?
Hi @OmegaVVeapon,
You can request a new token using your client ID and client secret, the same way you originally requested the token. Do you have a concern with this method?
Let me know,
Dan
hi Dan,
Yes, I’m aware we can just get another token that way.
Re-reading my question, I see that I wasn’t very clear about my concern.
I want to optimise the amount of M2M tokens the application gets as much as possible and was wondering if there’s any best practices on how to handle this.
I was thinking:
exp field to know if it’s expired (most JWT libraries will throw an exception if the token is expired).Does this sound like a reasonable approach to handle M2M token renewals to you? Or is there a documented approach somewhere to handle this common use case?
Cheers,
Alan
This looks pretty standard. A refresh token and a client secret are very similar when we boil them down in a client credentials grant.
This is a secure server, correct? If an attacker has access to your server you probably have a bigger problem than just the tokens, your client secret is more powerful.
If an attacker has access to your server you probably have a bigger problem than just the tokens
That’s a very good point! 
Also, thanks for the comment re: refresh tokens and client secrets, hadn’t thought about it that way.
I’ll mark your as answer as the solution. Thanks for the guidance.
Cheers!
Thanks and cheers! 
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.