Programmatically get a access token from auth0

I’m using a SPA application successfully, but our users must be able to authenticate and use our BFF (back-end for front-end) without accessing the SPA.
They must be able create integrations on their systems where they get a token from auth0 and use on our BFF.
We can create a abstraction where our BFF calls auth0 directly, and then the users daemons would call our BFF.
What is the best flow in terms of security for this use case?