Preferred way to use M2M for multiple companies towards the same API

As a newcomer to Auth0 I’m curious as to what is the preferred way to allow multiple companies into my API that supports multi tenancy. It is imperative that each one them has their own login means (ClientId/ClientSecret?) but from the API I need to know which company they represent.

Any suggestions appreciated, but please be very elaborate as I’m not very strong in security.

Hi @nra,

Welcome to the Community!

The client credentials grant (using a seperate client ID and client secret for each customer) will likely be the best solution for this. Here is a topic that discusses it, and some of the limits on creating new applications. Feel free to ask questions if you have them. Do you know roughly how many customers/applications you plan on supporting?

Hi @dan.woda
Thanks for reaching out.
No doubt Client Credentials grant sounds like the way. This means that the customer Apps will be able to authenticate, but how can I determine which customer is making the request? I need to figure out which resources to provide - hence the multi tenancy. No doubt, customers should never be able to spoof their origin, so a simple parameter to the REST calls is not an option.
The amount of customers ranges from 5 - 50 and potentially even 100s.

Ok, I found out that a hook into the Client Exchange can supply a hardcoded customer claim to be provided along with each API like this

“name”: “CustomerHook”,
“script”: “module.exports = function(client, scope, audience, context, cb) { var access_token = {}; access_token[‘’] = ‘2345’; cb(null, access_token); };”,
“enabled”: true,
“dependencies”: {}

My own API code will then be able to extract the embedded claims and hereby the customerId ‘2345’.
Only requirement is that the Web API accepts multiple audiences.
In core, TokenValidationParameters.ValidAudiences takes care of that.

What remains is whether potentially 100s of APIs should be registered when we have 100s of customers?

Thanks for providing an update.

This could be an issue. Entities (applications, connections, etc.) are limited based on your subscription. Here is the doc that explains it: