Help with native application client identification

I’m new to Auth0 and have an architecture/best-practices question. Here’s what I’m trying to accomplish:

  • My application consists of a windows clients (written in C++), and a django website with a REST api (django-rest-framework).
  • When a new user is provisioned, they are emailed a product key.
  • Clients authenticate to the server and are granted permission to different scopes depending on what user installed the application. Users are identified via their product key, which is entered during install.

My questions are:

  1. What is the best way to implement this with Auth0? I’d like to ensure that the user’s product key is not transmitted over the internet unsecured, since it is acting as both their identity and their password.
  2. What is the best way to pass the list of approved product keys to Auth0? hooks?

Apologies if this is a dumb question–L’ve spent a decent amount of time googling and can’t find any examples of someone doing something similar with Auth0.