M2M Applications - Client credentials flow so a user can consume an API with a secret key

Hello, I have a doubt regarding M2M Applications.

Our clients (enterprises) interact with our API via a M2M Application (client credentials flow) per client (with their associated permissions per application to consume our services).

Our clients integrate our API in their server or custom APIs so it made sense to use M2M Applications

We also have a dashboard where each client (the enterprise) has many users (their employees) where they can monitor consumption, stats and results from our services.

We noticed we have been reaching the M2M tokens quota because some of our clients are in the integration process (or perhaps a bad implementation) so they login multiple times a day and Auth0 issues a new token (counting towards the quota).

We can’t always control this scenario.

We also noticed there’s a limit of 100 applications per tenant so we would be limited to 100 clients.

Is this the right approach to integrate with Auth0 or is there a better implementation we can look into?

Hello @david.silis,

Welcome to the Community! Are there actual users present in these authentication flows? Client credentials is meant to be used when there is no user present. The term “machine-to-machine” can be misleading here … you can have one API talking to another API, but there can still be a user involved, in which case you should be using something like the authorization code grant flow.

Hello @markd , sorry for the late reply.

There is no user present when consuming our API.

We generate users for a SPA dashboard but these users don’t use the API.

I was thinking for example some services where you create an account with email/password and it generates some api keys for you to integrate/consume the service (API), our use case is similar to those.

I can share more details in a private conversation if it’s necessary, thanks.

I don’t know if this helps, but for M2M we provide our own endpoint for token exchange, except we cache the token auth0 gives us for the duration of the token expiry. Basically a broker. That way, per-client id, we never hit auth0 more than once a day and our quota use remains in our control.

1 Like