Auth0 Home Blog Docs

OAuth for generating Management API tokens

api
management-api
oauth
refresh-tokens
tokens

#1

From the Management API documentation it seems that user would need to share the manually generated token or their client_id and client_secret in order to generate a token.

Is there a way to interact with the Management API using OAuth so that at the end of the OAuth flow the output is an access_token and a refresh_token that will be later used to request a Management API token?


#2

The recommended approach to obtain tokens for the Management API is to make use of OAuth2 client credentials flow like it’s mentioned in the documentation you linked to.

A refresh token for client credentials grant is a bit redundant because a refresh token is meant to represent a specific grant that was issued and which can be reused to obtain refreshed access tokens at a later time. This is equivalent to the client identifier and client secret because that information when used within the scope of client credentials grant is already sufficient to represent the grant in question and can also be used to obtain refreshed access tokens.

In conclusion, the answer to your question is no. If you want to give access to the Management API to a given application then that application will need to know a client identifier and a client secret and perform a client credentials grant.


#3

Thank you for the answer @jmangelo, I’ll make sure to use the client_id and client_secret in order to obtain tokens.


#4