You probably do not want a situation where multiple customers all share a single client id+secret pair.
100% correct. Each needs their own segregated data, so the API would need to be able to identify each customer, or each company.
(Within our API, if we can identify a customer, we can identify which company(s) they have access to.)
I think I would assign each customer their own M2M application in Auth0
This seems manageable now where we might have ten clients who want API access. If that number grows to a hundred+ though, that’s unmanageable, unless we build tooling around the management API to automate that whole process.