Feature: Lift the M2M quota restrictions, Bill client credientals by unique client id by day.
Description: This was already mentioned in many topics, such as this one or this one.
I would just add that the two most popular workarounds allow anyone to have a form of machine to machine auth billed like per unique active client_id per day. Only they are less secure and more cumbersome. Those are: using standard user accounts and auth with password authentication or build a cache layer on top of auth0 and expose that to our customers.
The first one is mixing direct user auth with machine auth, requires to have an application which allows password auth, and then nothing prevents real user to use this application and direct password auth in frontend application and thus expose their password…
The second one requires us to reimplement a new layer of caching and is less secure since we have to handle tokens on the behalf of our users which nullify some of the advantages of auth0 and what we like in auth0 in the first place!
In general the M2M apis of auth0 are awkward and seem like an afterthought compared to a user auth flow that is very good and works very well.
So like in term of billing people can just use the workaround and just pay by unique active client id by day, can we do it safely through the M2M auth as the universe intended ? No need for complex caching functionality, just drop the quotas and unify your flows and billing strategies.
Use-case: Well something very basic. We have an API that we integrate with other apis. We have no ways of controlling how often and how liberally our customers authenticate. So a customer can make us pay an arbitrarly high amount of money our just bust our quota and block all our other customers.