Having replied to your other recent post here I thought I’d follow up on this one too 
I’m implementing APIs in Next.js 14 to be called by multiple external systems.
Cool 
I’d recommend you take a look at our How to Authenticate with Next.js and Auth0: A Guide for Every Deployment Model Blog article if you haven’t already; I’m not a Next.js expert, but you shouldn’t need any security sensitive information stored in the API in order to validate an Auth0 Access Token.
How can I protect the APIs using OAuth 2.0 client credentials grant? For example, the external system will obtain the access token using client id and client secret, and then call the API using the access token.
As illustrated in the aforementioned Blog article, a Client Credentials wouldn’t typically be used in order to obtain an Access Token token for calling an API. In a Next.js context, where the application is typically a SPA - i.e. a non-confidential Single Page Application client - Authorization Code Grant with PKCE would be used instead. And this doesn’t require that you store any Client Secret for use by the application
Hope this helps