Auth0 Home Blog Docs

Create users to authenticate third-party clients

We have a use case, where we want to grant a 3rd-party automated access to an API in order to submit data to our backend automatically. We will probably need to provide this access for most of our users separately.

The docs seem to suggest to create machine-to-machine applications for each user. How is this different from just having a new (technical) user for API usage?

In addition how do I separate the dynamically created apps from the statically configured ones during deployment using auth0-deploy-cli?

Hello cecoebopp

Client Credentials (machine to machine) grants access to applications, not users. It is intended for situations where users are not involved: the canonical example is a cron job/maintenance task.

What are you trying to achieve with the 3rd party access? Is it something that requires user consent?


Hello John,

Thanks for the timely response.

I guess cron job/maintenance task describes pretty well, what we are trying to do. I’ll describe the situation in more detail.

We are in a B2B scenario, where each of our customers owns some piece of software that needs to communicate data to one of our backend systems. So they are a client of our API. Intuitively it makes sense to me to model this as an machine-to-machine application with client credential grants.

Talking about user consent: we definitely do not want to require manual intervention for each data transfer. Ideally the authentication should be setup only once when our customer connects their client to our API. From what I understand, we would create one client app (machine to machine) when a customer needs to give their software access to our API. Is that approach correct?

This client app should only be authorized to access that customer’s data though. How does my backend find out, which customer a client app belong to? Do I need to store the client ID? Or is there a way to attach metadata to the client app’s token?

And I think I found a solution for the auth0-deploy-cli by setting AUTH0_EXCLUDED_CLIENTS in the config and giving every such client the same name.

Ok, if I understand right, this is making sense. It is on a client by client (B2B) sense, but NOT the customers of that client, where the client needs to get the customer’s permission before accessing the data.

M2M is what you want here.

When you create an M2M client(application), take a look in the advanced settings. There’s an “Application Metadata” section where you can store whatever you need to identify the application as belonging to a particular client, then add that value to the M2M token in the client credentials hook.