We use the Authorization Extension to assign permissions/groups to users of our SPA. The access_token contains the user’s permissions and our API verifies permissions as expected by looking in the
app_metadata for an
authorization object. For example our permissions look like: ‘payments:view’, ‘payments:refund’
We are now creating an integration with a 3rd party that will use the same API as a Machine-to-Machine client. I have created an Application for the 3rd party. What is the best/most efficient way to assign permissions to the client so that the M2M application’s access_token can contain permissions.
The main goal is to make the connections to our API look the same regardless of a user or M2M request being made. (Same spellings of permissions, same access_token structure)
Thank you for taking the time to consider this.