I have some doubt on how to know if a jwt is an M2M token or if it is a user token. A bit of context:
- I have a nextjs app using the auth0-nextjs sdk (cookies based), the app has an endpoint that work as proxy to my api, everytime I send a request to this endpoint I get the access_token from the session and I send it to my api.
- In the Auth0 rules I need to send a request to my api, so I create an access_token with client_credentials grant and I attach it to the reqeust.
Everything works fine, my doubt is how can I understand if the token is an M2M token or a token created by the user login, the M2M token should be able to the everything in the app while the user token has some restriction. The audience of the 2 token should be the same (I assume) as they are token for the same service. Do I need to use scopes (so the permissions in the api setting page)? Usually is a good practice to have permission like
entity:actionbut in this case I don’t need a granular system I just need to know if the request is coming from a safe place (auth0 rules) and let the token access to everything…