How to know how many and which m2m users have been requested?

Hi, I saw that my developer account’s M2M limit has been exceeded. I hypothesize that a single user has been requested too many times than expected. Is there a way to see, in the current month, which and how many M2M users have been generated?
It seemed to me that once there was this option but now I can’t find it anymore

Based on the logs, you could probably see how many CCG (Client Credentials Grant) calls have been made. So you can reference it back to a specific client id. Other than that, from the usage dashboard, you probably just see the overall M2M call number, but not broken down per client id, etc.

If you need some sort of M2M rate limiting, you could consider a hook (sample hook I put together a while ago):

3 Likes

Thanks for sharing that Mathias!

Thanks for your availability but I don’t think that’s what I’m looking for at the moment.
About the logs: unfortunately I can’t access the logs older than 3 days so I can’t retrieve the information I need. I would like to be able to see how many times an m2m user is requested in the month: like a table with user -> requested quantity

About the script: I didn’t understand, is this something I should do on the client side or would it be placed somewhere on auth0 and would it apply to all clients?

Re script: it runs as Client Credentials Exchange Hook on Auth0 side. It counts all M2M calls per client id (stored in redis) and can rate limit / block when a threshold is reached.

I would like to be able to see how many times an m2m user is requested in the month: like a table with user -> requested quantity

You would see exactly that in the redis (adjust the script to your needs, i.e. don’t delete old entries, just keep it as an info database without blocking attempts). When you say user I assume you’re referring to client_id, as there is no user involved in a M2M flow.

2 Likes

But isn’t there a way to set a “rate limiter” directly from auth0 without relying on external databases?

Unfortunately not, it’s been requested before and therefore logged as feature request in the product backlog. But until something is available, this is a way to handle it for the moment.

2 Likes

Hi Mathia, thank you very much for your availability.
Someone can give me an estimate of when the ticket will start?
I need that limitation and would like to understand if it is worth the wait or implement this limit in other ways like, for example, what you told me

Unfortunately there isn’t a public ETA on that that can be provided at the moment. The rule is relatively simple. The. more users request certain feature the more likely it is that it will get implemented.

Hello,

I was looking for this exact feature today: we allow several external applications to request our API through a client credential flow.

Since there is no built-in limitation to limit an external application to request thousand of token per day, it’s totally possible for an application to deny access to our ressources to an other application, by exceeding our current subscriptions limits.

It’s really annoying to have to rely on external components like redis or database, but, at least, we have a workaround.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.