Implementing personal access token

In the absence of per user personal access token Personal Access Tokens or API Keys, was wondering how are auth0 customers implementing this feature? Are they managing the tokens inside their app?

Hey @amit9 - The only possible approach I’m aware of currently would be essentially using client credentials via an M2M app per user. Outside of that it’s not something that’s supported for the time being. I saw that you added to the feedback request, thanks for that!

Regarding M2M approach per user, is it possible to attach auth0 app metadata to access token? By attaching app metadata I mean attaching to token within rule not user metadata, but application metadata in case we request access token with client_id and client_secret.

1 Like

Hey @vlad.pesternikov welcome to the community!

That should be possible, see:

Thanks @tyf for the prompt reply. I tried the following things and none of them seem to work:

  • Rules - i had a rule which will add user metadata into the JWT token for the PKCE flow and it works fine, i just extended it to take care of M2M
function (user, context, callback) {
  const namespace = "https://unskript.io/"; // my_namespace is a placeholder...
  const user_metadata = user.app_metadata || {};
  if (user_metadata !== {}) {
    context.accessToken[namespace + "app_metadata"] = user_metadata;
  } else {
		context.accessToken[namespace + "app_metadata"] = context.clientMetadata;
  }
  return callback(null, user, context);
}
  • Actions -
exports.onExecuteCredentialsExchange = async (event, api) => {
  api.accessToken.setCustomClaim("https://foo.bar", event.client.metadata)
};

When i do the curl POST to get the access token

POST https://<YOUR_AUTH0_DOMAIN>/oauth/token
Content-Type: application/json
{
  "audience": "<API_IDENTIFIER>",
  "grant_type": "client_credentials",
  "client_id": "<YOUR_CLIENT_ID>",
  "client_secret": "<YOUR_CLIENT_SECRET>"
}

and i parse the JWT token, i dont see the custom claim or app_metadata. What am i doing wrong here?

No problem, happy to help!

Your action looks good - Are you positive you have it set on the Machine to Machine flow (Actions → Flows → Machine to Machine). I just tested with the same action and it’s pulling the claim and app_metadata through to the token.

Oh you know what i just created an action and didnt put it in the flow. Its working fine, however the rules way didnt work, any idea why?

1 Like

Great! Good to know the action is working as expected :slight_smile: You’d need to use a hook instead as rules won’t apply to an M2M flow.

Oh good to know. One last question @tyf , M2M access tokens derive the expiration time from the API attached to it and AFAIK, API cant have indefinite expiration. Any way, we can achieve indefinite expiration for such tokens?

Hey there @amit9 just following up on this - While there is no way to mint access tokens that don’t expire, in an M2M flow you should just be able to request a new token when needed. The following posts outline this: