Preventing my users (M2M) from having to generate access tokens


I am generating auth0 applications for each of my users, giving them the client id/secret and allowing them to authenticate from their web-servers (M2M use-case).

There are two problems already discussed in the forums related to this:

  1. Rate limit of the auth/token end-point and not being able to force my users to cache access tokens
  2. Increased network calls (to generate the access token) and latency for my users’ web servers

To solve the above, I am thinking: the user includes their client id/secret along every request to my APIs, in the headers for example: “Authorization: Bearer {client_id}:{client_secret}” and I handle fetching access tokens, checking them and caching them on my back-end.

I have not seen other APIs do something like this, so I am obviously concerned with the security or practicality of this approach and I would appreciate any feedback or insights into this.


I asked the similar question here Use An Auth0 API Without an access token? B2B Application

But I do not have any answer yet. Did you find any solution?