Thank you for your reply. As I understand your reply, one M2M application per device is the best approach. I was not aware of a scriptable management interface, but if instantiating a new M2M application and pulling out the client_id/client_secret key out is not a big burden on Auth0, then this is the easiest way to go towards our goals.
To answer you question about how many devices, we have <10 right now (due to chip shortages &c.), but it should scale to >10k or above once we exit the startup company phase. How often they get M2M tokens depends on how long the tokens are valid. The software I’m writing does take into account the expiry timestamp of the tokens so the device will defer refreshing the token until it determines that the token won’t be valid by the next time it needs to access the API. I will contact the person responsible for the Auth0 contract to iron out the details for this.
I sincerely thank you for your time considering my question.