NextJs Auth0 - getAccessToken M2M Quota Limits?

stefano.brandoli23 · June 7, 2022, 2:05pm

Which SDK this is regarding: “@auth0/nextjs-auth0”: “1.9.0”

Hi there,
I’m setting up a NextJs application that will use Auth0 to login/signup, social logins included.
This app needs to call our backend with information about the logged user.

I’m following the example provided to setup a Next Js Regular web application from the Auth0 Dashboard.

In particular I’m interesting in the following:
https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#access-an-external-api-from-an-api-route

After the user succesfully logs in, I can see the nextjs-auth0 SDK creates an appSession cookie, which is encripted.

I managed to get an accessToken (JWT) from the appSession using the following example:

export default withApiAuthRequired(async function products(req, res) {
  // If your Access Token is expired and you have a Refresh Token
  // `getAccessToken` will fetch you a new one using the `refresh_token` grant
  const { accessToken } = await getAccessToken(req, res, {
    scopes: ['read:products']
  });
  const response = await fetch('https://api.example.com/products', {
    headers: {
      Authorization: `Bearer ${accessToken}`
    }
  });
  const products = await response.json();
  res.status(200).json(products);
});

I need to have the access token to call our backend APIs with information about the logged user identity.

My questions are the following:

If I use as Audience the default Auth0 Management API under Dashboard → Applications → APIs, and call getAccessToken as above, will this result in a consumption of M2M Token Quota limits?
My understanding is that it should not, since the accessToken returned is related to the user.
In particular I am referring to Pricing → Compare Plans, which links to the following documentation for M2M Token Quota (Client Credentials Flow)
Same question as 1), what happens if instead of using the default Auth0 Management API, I use as Audience a custom API created under Dashboard → Applications → APIs? M2M Quota limits are impacted by the call to getAccessToken?
The same example in the NextJsAuth0 SDK refers to refresh tokens. In particular, if offline_access is provided as scope, it seems I can get a refresh token with the access token.
(as read here: add support for refresh token · Issue #4 · auth0/nextjs-auth0 · GitHub). By calling getAccessToken with refresh: true, the code states the following:

/**
   * If set to true, a new Access Token will be requested with the Refresh Token grant, regardless of whether
   * the Access Token has expired or not.
   */
  refresh?: boolean

The question also in this case is: by using getAppSession with refresh: true (refresh tokens), I am impacting M2M Quota limits?

Hope to have some clarifications/reply soon.
Have a nice day

b.abakzahedi7141 · June 9, 2022, 5:14am

I value and respect your opinion!

stefano.brandoli23 · June 9, 2022, 8:44am

I’ve digged more into the question.

What I’ve found is this https://community.auth0.com/t/get-details-of-authentication-calls/38981/2.

Basically M2M calls that are accounted in the quota should be those marked in the logs as seccft events (Client credentials exchange).
It seems also that M2M token quota is impacted only by Client Credentials exchanges that are not related to the user (access tokens related to social logins, standard logins should be excluded).

From the logs I see in my dashboard, after a successful login on my NextJs website and the retrieval of an access token using getAccessToken, the following events appear in the log:

event of type “s”: Successful login
event of “type”: “seacft” → “description”: “Authorization Code for Access Token”

My understanding thus is that getAccessToken for the logged user does not count for the M2M Quota.
Anyhow, I would like a confirmation about this from the Auth0 Team.

Have a nice day

tyf · June 10, 2022, 12:15am

Hi there @stefano.brandoli23 welcome to the community and thanks for following up with your findings!

This is correct M2M (machine to machine) tokens and thus the quota are only related to M2M apps/tokens where there is no user involved.

This is correct - These types of access tokens do not apply towards the M2M quota, and neither do management API tokens. Some more on that here:

Hope this helps!

tyf · June 25, 2022, 12:16am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.