Is it ok to use ClientId/ClientSecret as api keys and give them to customers?
Yes, client credentials and API keys are very much equivalent. In general, both need to be used only by client applications that are able to securely store them and maintain their confidentiality. Additionally, both put the responsibility of ensuring they don’t leak to whoever they are issued to.
The only real difference is that API keys are validated after being received by the API itself, while client credentials are validated by an independent actor (authorization server) that then issues a temporary assertion that will be included in the request to the API; the assertion (token) can usually be validated by the API without additional requests.
Is it ok to do a Client Credential Grant on the server with the app_id/app_secret?
Yes (with some considerations), you’re mostly just shifting some responsibility from the client application to the server-side. More specifically, the exchange of client credentials for an assertion/token will now be done on the server instead of the client application. However, while reducing the effort required to implement a client application this significantly increases the cost of implementing, maintaining and scaling the server-side.
For example, caching the returned assertion/token in the client application requires some work, but it’s way easier then try to implementing token caching on a server-side component that needs to be aware of multiple client credentials. Also have in mind that there are limits on the frequency of calls to the token endpoint so depending on your volume of calls you may need to implement such caching strategy in order to reuse tokens.
Having said that, you mention that you’re doing this because the client applications are from your customers so the added cost of doing it server-side may not be relevant given it will probably get you either more customers or more satisfied customers. In conclusion, it’s a decision for you to make.
Is this the correct way of doing API keys with Auth0, or is there a better way to this?
Use of client credentials grant is the recommended way to achieve the sort of functionality associated with traditional API keys that are used as the basis to identify that the API call is coming from a registered customer and at the same time to identify the particular customer so that you know to whom address the API usage bill.