Hi, thank you for your reply 
The use case is this: we have a web application (SPA) which talks to our API (resource server). In this case, we use the standard universal login flow as you recommended. User is redirected to tenant.auth0.com, logs in and is redirected back to our web. This works fine.
But, some users actually want to write a CLI script that does something with our API. No browser involved, just some CLI script or CRON job that communicates with our resource server. Hence we want to let them fetch ID and access token from Auth0, which they can use when communicating with our API. Hence the password-realm example I posted above.
What is the best way to achieve this if not the password-realm?