Enable Users to have multiple machine-to-machine applications

I am looking to see if there are any best practices on how to enable my customers to create their own machine-to-machine application. For example, a user logs into my web application, they then click a button to add a machine-to-machine application. They may do this multiple times. Each of these machine-to-machine applications would be associated with the one end-user, such that ONLY that user can view the client id and secret.

I basically do not want to create many, as auth0 calls them, “machine-to-machine applications”, as I, would be able to see any client id and secret associated with any machine-to-machine applications my customers (end users) create.

Essentially I am needing to create a database (i.e. Connection) that holds the list of client id’s/secrets and associate them with an end-user.

Hello mcardle.liam,

What is the use case? I think M2M is not the right approach.

What happens when the user’s session expires? Should the M2M still have access? If so, this seems like a security breach to me. If not, then this isn’t M2M.

Just a guess (more details would help), but I think you need a single M2M application, and users can add “requests” to this M2M application. The request would include the user’s access token, which should be verified, and then the M2M application does whatever it needs. You trust the application (since you wrote it), and verify that the user made the request properly.

John