I’m just in the process of reviewing our use of Auth0 as the Auth server for out app, but I wasn’t able to clarify if the M2M limit applies to the PKCE flow within and SPA. Can you let me know if M2M includes the issuing of tokens to web/SPA clients?
M2M tokens are tokens that are issued to registered M2M apps. If your SPA is requesting an access token on behalf of a user, this wouldn’t be considered a M2M token.
For the quota: only tokens that have a non-auth0 audience (tokens that aren’t designated for the management API or userinfo endpoint) will count against your quota.