Setting permissions per client for M2M applications


We use the Authorization Extension to assign permissions/groups to users of our SPA. The access_token contains the user’s permissions and our API verifies permissions as expected by looking in the app_metadata for an authorization object. For example our permissions look like: ‘payments:view’, ‘payments:refund’

We are now creating an integration with a 3rd party that will use the same API as a Machine-to-Machine client. I have created an Application for the 3rd party. What is the best/most efficient way to assign permissions to the client so that the M2M application’s access_token can contain permissions.

The main goal is to make the connections to our API look the same regardless of a user or M2M request being made. (Same spellings of permissions, same access_token structure)

Thank you for taking the time to consider this.

Hi @dan5,

Depending on what exactly you want the token to look like, you can use a client credentials hook to customize the token.

Here is the doc:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.