Validating actions request for machine to machine


I am trying to use Actions to do a pre-signup action, as well as a single web app.

I would like to create a token inside the actions, to ensure to my backend that the request originate from Auth0 actions. It is basically like this:

exports.onExecutePreUserRegistration = async (event, api) => {
  const response = await fetch(`https://DOMAIN/oauth/token`, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json'
    body: JSON.stringify({
      "audience": "http://localhost/api",
      "grant_type": "client_credentials",
      "client_id": "MACHINE_TO_MACHINE_CLIENT_ID",
      "client_secret": event.secrets.CLIENT_SECRET

  const accessToken = (await response.json())['access_token'];


This works well, but this now means that my backend will recieve API requests from two clients:

  • Actions will send API requests signed with the M2M application (with the application secret).
  • SPA will send API requests signed with the SPA application (with the API audience0.

Is this assumption correct? Does this mean that in my backend I am supposed to have two Auth0 object (one with the M2M secrets, and one with the SPA secret)? Or am I missing something in the flow here?


Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!