Okay, I think that’s what we’ve been missing.
Typically, you would be issuing these third party developers each their own client ID and secret, and they would make their requests with client credentials.
Think about it this way; each of these users are essentially creating their own client (AKA application) that is going to interface directly with your API. Because of this, the users should each have their own app registered with Auth0, and should use those credentials to make requests against your API. This is the OAuth2 way of doing things- you see it with most major SaaS providers like Slack, Google, etc.
Hope that helps!