I have a single Auth0 application that will be assigned scopes when requesting an access token. The machines requesting this token will all use the same client id and secret from the application. The only difference is the Auth0 API audience - there will be a different Auth0 API for each machine requesting the token. Is this the proper way to assign scopes on the access token?
Or, should each machine use a different Auth0 application (with different client ids and secrets) and be granted an access token using a single Auth0 API (audience)? Is one more secure than the other?