In the absence of per user personal access token Personal Access Tokens or API Keys , was wondering how are auth0 customers implementing this feature? Are they managing the tokens inside their app?

Hey @amit9 - The only possible approach I’m aware of currently would be essentially using client credentials via an M2M app per user. Outside of that it’s not something that’s supported for the time being. I saw that you added to the feedback request, thanks for that!

Regarding M2M approach per user, is it possible to attach auth0 app metadata to access token? By attaching app metadata I mean attaching to token within rule not user metadata, but application metadata in case we request access token with client_id and client_secret.

Hey @vlad.pesternikov welcome to the community! [image] vlad.pesternikov: By attaching app metadata I mean attaching to token within rule not user metadata, but application metadata in case we request access token with client_id and client_secret. That should be possible, see: […

Thanks @ty.frith for the prompt reply. I tried the following things and none of them seem to work: Rules - i had a rule which will add user metadata into the JWT token for the PKCE flow and it works fine, i just extended it to take care of M2M function (user, context, callback) { const namespac…

No problem, happy to help! [image] amit9: and i parse the JWT token, i dont see the custom claim or app_metadata. What am i doing wrong here? Your action looks good - Are you positive you have it set on the Machine to Machine flow (Actions → Flows → Machine to Machine). I just tested with th…

Oh you know what i just created an action and didnt put it in the flow. Its working fine, however the rules way didnt work, any idea why?

Great! Good to know the action is working as expected :slight_smile: You’d need to use a hook instead as rules won’t apply to an M2M flow. [image] Getting client metadata in non-interactive clients access tokens Help You should be able to accomplish your requirements by …

Oh good to know. One last question @ty.frith , M2M access tokens derive the expiration time from the API attached to it and AFAIK, API cant have indefinite expiration. Any way, we can achieve indefinite expiration for such tokens?

Implementing personal access token

Get Help

ty.frith September 20, 2022, 10:45pm 12

Hey there @amit9 just following up on this - While there is no way to mint access tokens that don’t expire, in an M2M flow you should just be able to request a new token when needed. The following posts outline this:

Topic		Replies	Views
Authenticate third-party apps Get Help jwt , auth0 , app_metadata , machine-to-machine	6	3487	October 1, 2022
Client Credentials M2M Login customize token Archived jwt , auth0 , rules , access-token	3	3834	May 11, 2020
Rules do not fire on M2M client_credentials flow Archived rules	3	6038	April 27, 2020
Migrating rule Adding user details to access token to action Get Help jwt , auth0 , login	1	1809	May 31, 2022
Auth0 Actions for M2M to return Application metadata in JWT Get Help management-api , clients	1	1043	August 16, 2023

Implementing personal access token

Related topics