Correct way to handle M2M token renewal?


We currently have a backend service that talks to another backend service with secure APIs. From our understanding of the docs, this is exactly what M2M tokens are meant for which use the client-credentials flow.

However, we’re a bit at a loss on how to best handle the renewal of such tokens when they expire.

We CANNOT use refresh tokens because they are not obtainable in the client-credentials flow, so what’s the best approach then?

Hi @OmegaVVeapon,

You can request a new token using your client ID and client secret, the same way you originally requested the token. Do you have a concern with this method?

Let me know,

hi Dan,

Yes, I’m aware we can just get another token that way.

Re-reading my question, I see that I wasn’t very clear about my concern.

I want to optimise the amount of M2M tokens the application gets as much as possible and was wondering if there’s any best practices on how to handle this.

I was thinking:

  1. The application gets a request to call a protected API
  2. It checks it has a cached token stored in memory (would a file be too dangerous?)
  3. If a token exists, the token is decoded and we check the exp field to know if it’s expired (most JWT libraries will throw an exception if the token is expired).
    4a. If the token hasn’t expired, cool, use it to call the protected API
    4b. If the token has expired, request a new M2M token and cache it.

Does this sound like a reasonable approach to handle M2M token renewals to you? Or is there a documented approach somewhere to handle this common use case?


This looks pretty standard. A refresh token and a client secret are very similar when we boil them down in a client credentials grant.

This is a secure server, correct? If an attacker has access to your server you probably have a bigger problem than just the tokens, your client secret is more powerful.

If an attacker has access to your server you probably have a bigger problem than just the tokens

That’s a very good point! :+1:t2:

Also, thanks for the comment re: refresh tokens and client secrets, hadn’t thought about it that way.

I’ll mark your as answer as the solution. Thanks for the guidance.


1 Like

Thanks and cheers! :beers:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.