I’m aware that a Machine to Machine application is created to pass access tokens as a HTTP authorization header to authenticate calls to API endpoints.
Would there ever be a scenario where you would have one Machine to Machine application which you would use to authorize multiple API endpoints? If so why and in what circumstance? Or would it be best practise to have one Machine to Machine app for each API created?
The question is “what is a different API”. From an Auth point of view, two APIs are different if they have different security requirements or contexts. From a dev point of view, two APIs are different if they have different functions.
So, even if two APIs are different from a dev point of view, they could have the same security context and thus use the same audience.
Take a look at your security requirements and decide…