M2M token storage

I’m using M2M tokens for other backend servers to directly access my API by issuing tokens through the client credentials grant.

The backend server will use this token to access my API servers times over the next 12 hours.

What is the best way for them to store this token? I see many articles describing how to save these tokens on client side, but what is the best practice for M2M tokens?

1 Like

Hi @ryangoy,

Welcome to the Community!

I don’t think we have much guidance on this. I am going to reach out to the team and see what they recommend.

What framework are you using?

Hi @dan.woda,

Thanks for the welcome :slight_smile:

I am using Node.js for the backend, run on AWS Lambda.

I have the developer pro plan, so I received an answer from support. There were two options provided: (1) I could switch over to using a Password Grant [https://auth0.com/docs/flows/call-your-api-using-resource-owner-password-flow], or (2) I could cache tokens on my backend and essentially wrap the /oauth/token endpoint.

I believe option (2) would require me to validate the M2M key pair on my own in the case I return a cached access token, so I’m going with option (1) for now. I’ll update when I get a solution working!

Thanks for the update!

@dan.woda I’m trying to get a refresh token to display to the user so they can fetch access tokens in backend to backend call.

I’m using this guide https://auth0.com/docs/tokens/refresh-tokens/get-refresh-tokens

In the first section, a parameter I’m not sure what to do with is state={OPAQUE_VALUE}. What should I be inputting for that?


The state param is * a unique and non-guessable value associated with each authentication request*.

It can be an encoded piece of information, or a random nonce.

This doc explains its usage:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.