Validating actions request for machine to machine


I am trying to use Actions to do a pre-signup action, as well as a single web app.

I would like to create a token inside the actions, to ensure to my backend that the request originate from Auth0 actions. It is basically like this:

exports.onExecutePreUserRegistration = async (event, api) => {
  const response = await fetch(`https://DOMAIN/oauth/token`, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json'
    body: JSON.stringify({
      "audience": "http://localhost/api",
      "grant_type": "client_credentials",
      "client_id": "MACHINE_TO_MACHINE_CLIENT_ID",
      "client_secret": event.secrets.CLIENT_SECRET

  const accessToken = (await response.json())['access_token'];


This works well, but this now means that my backend will recieve API requests from two clients:

  • Actions will send API requests signed with the M2M application (with the application secret).
  • SPA will send API requests signed with the SPA application (with the API audience0.

Is this assumption correct? Does this mean that in my backend I am supposed to have two Auth0 object (one with the M2M secrets, and one with the SPA secret)? Or am I missing something in the flow here?