Limit the Number of M2M Token Exchanges per Application

Problem statement

Enforce a maximum limit on the number of M2M token exchanges per application.

Solution

There is currently no standard functionality that allows rate limits to be configured for machine-to-machine token exchanges on a per-application basis. However, two custom solutions are outlined here:

  1. Log Streams send tenant logs to external systems in near real-time. For more information, refer to the Log Streams documentation. Using this option, the log management system forwards log events to an external service. This data can be used to help enforce a per-client quota policy. When the per-client quota is exceeded, a function removes the client_credentials grant from the violating client with a call to Update a Client to pause further usage.

2. Actions can be used to monitor the M2M flow and enforce quota limits on individual client applications. Information about maximum usage per application must be stored in an external data store. A Client Credentials Exchange Action could then execute and compare current token usage. The general pattern of such an Action could be as follows:

// Client Credentials Exchange Action
exports.onExecuteCredentialsExchange = async (event, api) => {
   // custom logic to keep track of application token usage and compare with
   // the threshold in an external data store

   // If the current threshold has been reached for this application, deny
  //  further access
    api.access.deny(code, reason)
};

The above pattern could be used as the basis of a more sophisticated Action that is tailored to individual requirements. For more information, refer to Machine to Machine flow and Actions Triggers: credentials-exchange - API Object

NOTE: before embarking on building a custom solution, be aware that a feature to restrict token consumption by individual applications is on the Product Roadmap and is scheduled for release in the first half of 2024. The availability of this new feature will make options 1) and 2) described above redundant. So before expending time and effort developing a solution, post a question to our Community and request an update about the scheduled availability of this feature.