Regulating Access Token use by External APIs

Hi there,

I have enterprise customers that would like to access my API programatically. It appears the way to do this is using the Client Credentials flow:

  1. Create a new M2M Application for each enterprise customer.
  2. Give the customer the client id and secret
  3. The customer will exchange the client id and secret for an access token using the M2M Application
  4. The customer will send requests to my API with that access token
  5. When the access token expires, the customer will exchange their client id and secret for a new access token

My concern is that the Auth0 subscription plan only allows for a limited number of access tokens per month. How can I prevent an enterprise customer from fetching a new access token for every request, or even fetching new access tokens prematurely, and burning through the M2M token amount provided with my subscription? Thank you.

Hi @f8DhZh3P,

There is a bit of a gap for this type of use case at the moment. It would be helpful to create a Feature Request so we can gauge interest. Thanks!