Regulating Access Token use by External APIs

f8DhZh3P · September 16, 2022, 7:09pm

Hi there,

I have enterprise customers that would like to access my API programatically. It appears the way to do this is using the Client Credentials flow:

Create a new M2M Application for each enterprise customer.
Give the customer the client id and secret
The customer will exchange the client id and secret for an access token using the M2M Application
The customer will send requests to my API with that access token
When the access token expires, the customer will exchange their client id and secret for a new access token

My concern is that the Auth0 subscription plan only allows for a limited number of access tokens per month. How can I prevent an enterprise customer from fetching a new access token for every request, or even fetching new access tokens prematurely, and burning through the M2M token amount provided with my subscription? Thank you.

dan.woda · October 1, 2022, 12:50am

Hi @f8DhZh3P,

There is a bit of a gap for this type of use case at the moment. It would be helpful to create a Feature Request so we can gauge interest. Thanks!

system · October 15, 2022, 12:51am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Allow specific outside customers access to our API server with m2m machine to machine token Help api , m2m , m2m-tokens	4	3200	May 4, 2021
M2M Applications - Client credentials flow so a user can consume an API with a secret key Help machine-to-machine	3	4275	July 23, 2020
Preventing my users (M2M) from having to generate access tokens Help	1	3683	August 7, 2020
API credentials for clients in a multi-tenant setup Help multi-tenant , m2m	5	4428	June 28, 2022
What is the correct method to protect client-facing API? Help access-token	5	2115	October 27, 2023

Regulating Access Token use by External APIs

Related Topics