Hello,
I am a little confused as to how we would use scopes present in an M2M token to deny or allow access, since all the scopes allowed for the app are always returned. Does this mean we have to create a new app for every different set of scopes we want to allow?
Thank you!
would you know how to do it with actions? In the documentation it says there is a function called api.accessToken.removescope(), but in the m2m flow, auth0 does not recognize it.
Hi @richardb,
Yes, that’s correct 
. You would need to create a new M2M application and grant it specific scopes (permissions) from your API.
Let me know if you have any additional questions.
Cheers,
Rueben
Is that the best way to do it? Seems like there should be a more automatic way of doing things, instead of manually creating a new app for every group of services and assigning them different scopes
Hi @richardb,
Yes, it would be the best way to do it. Let me clarify: you won’t be able to use api.accessToken.removescope() as that’s intended for the authorization code flow, which involves user interaction.
In a client credentials flow (Machine-to-Machine), when the m2m app authorizes against the API, it gets all the permissions defined for that application.
By doing so, you can control the permissions by setting specific scopes for each m2m app.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.