Need help architecting auth0

we want to architect auth0 such that, whenever user signs up on our developer portal they should have their own client_secret and client_id. I know, this can be achieved by creating one application per user.
Say I have 10 users, I will have 10 applications of type machine-to-machine, one per user. all of these will be authorized with a common audience.

I can do it this far. Now user x has access to its client_id and client_secret and can issue an access token whenever they want.

I issued an access token for one sample user but the permission it lists is client_grant. what I want is I should be able to add more permissions on this token like read:messages, delete:messages.

Can this be done on the application level? because this token is granted through client credential flow as follows:

curl --request POST \ 
--url 'https://<DOMAIN>' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data 'client_id=<id>' \
--data client_secret=<secret> \
--data audience=<audience>

this tells me the token is not tied to a user so adding permissions on the user won’t help, right?

What approach I can take here? PS: my understanding of auth0 and oauth2.0, in general, is pretty weak.