What is the best practise to use M2M authorization?

I have created 3 custom APIs in my tenant (File upload, Account Management and Users). They are as follows:

If some back-end service wants to use “Users” endpoints, then they will pass me a token for that API, and I’ll validate that. Similar with “File Upload”.

Now, I have an endpoint in “Account management” which internally calls “Users” and “File Upload” services. Here, I am getting 401 - unauthorized which make sense. This is due to missing token when I call “Users” service internally.

How can I handle this situation where “Account Management” JWT can be used for such calls?
I enabled Authorized toggle button under “Account Management” → “Machine to Machine” for “Users” but same error.

Hi @Gunjan.Parmar

How are you protecting access to the Account Management API? Who gets an access token for that?

One way to achieve what you want is to have the Account Management API use the /token endpoint to get M2M tokens for the other APIs, but be careful about permissions.

Another way is to use an API gateway in front of all 3 APIs, and check access at that point, allowing the APIs free access to each other.


So the back end service(s) will call Account Management API /token endpoint. Once they have access, they can hit the endpoint.

Want to confirm if I understood your first option:

  • From Account Management, call /token for File Upload and Users (and other microservices if they are called). In my use case, I have to generate two tokens.
  • Then pass respected tokens in respected services for successful call.

Is that correct?

Is there a way I can give access to Users and File Upload in “Machine to Machine Application” under Account Management?

Hi @Gunjan.Parmar

You are correct - you will request two tokens via the /token endpoint and use those.

You must configure the M2M access in the dashboard, but you still must retrieve the tokens and use them in your Account Management API.


Sure. Thank you very much.