SPA getTokenSilently consuming far too many M2M usages


I currently have a working implementation of retrieving an access token by using getTokenSilently, which is then used to authorize a user’s request when making API calls (behind the scene).

The issue I’ve encountered is that each time a token is retrieved it appears to use our allocated M2M usage. I was under the impression that M2M usage only applied to backend services but that simply isn’t true. I’d also like to note that it’s difficult to tell if the usage applies whenever a token is retrieved or on every single token retrieval. This is primarily due to the fact that the usage data lags behind actual usage so it’s impossible to get a good handle on your usage in realtime.

So what is the most optimal way to make getting a token efficient whilst cutting down on M2M usage within a SPA?

I have also shared the token expirations and was beginning to wonder if extending the browser expiration would be the only way to “optimize” usage.

SPA ID Token Expiration (Seconds): 36000
Token Expiration For Browser Flows (Seconds): 7200
Token Expiration (Seconds) : 86400

SDK: auth0/auth0-spa-js
SDK Version: 1.13.6
Platform Version: Vue 2.6.12

Hi @pinda.singh,

This sounds like a misconfiguration. The user access tokens shouldn’t count towards your M2M limit, and getTokenSilently should be caching tokens until they are expired or the page is refreshed or reopened. Do you have your SPA registered as an M2M application?

Hi @dan.woda,

I double checked and we do not have our SPA registered as an M2M application.
I verified this under each of our APIs and Machine to Machine Applications.

I’m beginning to suspect our custom Rules, one, in particular one builds up the users permissions by calling managementClient.getUserPermissions. I’ve included the snippet below for clarity.

function (user, context, callback) {
      var ManagementClient = require('auth0@2.17.0').ManagementClient;
      var map = require('array-map');
      var management = new ManagementClient({
        domain: auth0.domain,
        token: auth0.accessToken
      var params = { 
        id: user.user_id,
        include_totals: true,
        page: 0,
        per_page: 10
      const namespace = '';
      management.getUserPermissions(params, function (err, permissions) {
        if (err) {
          console.log('err: ', err);
        } else {
          var permissionsArr = map(permissions.permissions, function (permission) {
            return permission.permission_name;
          context.idToken[`${namespace}/claims`] = {
            permissions: permissionsArr
        callback(null, user, context);

Calls to Auth0 APIs shouldn’t count against your M2M quota. This includes the management API. So it must be something else. You should be able to narrow it down to any M2M application that uses a non-Auth0 audience.

If you DM me your tenant name I will take a look.

It looks like you have a default audience configured. That could be causing this. Every application is requesting a token for your API, and that means every M2M token would be counted towards your quota. Does that make sense?

Thanks @dan.woda, I’ve now disabled that and will test usage in next month’s allocation.

1 Like

Great. I’ll leave this thread open for 30 days, let us know what you find.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.