Hi all,
I have several applications and services (underlying APIs) on my Architecture. For me it is clear that the applications require each one of them its own client with Authentication Code flow. My doubt is, the underlying APIs should each one of them have its own client registration? And in case those APIs call other APIs under the hood, should they exchange the token generating a new one?
Thank you
Hi @pacojones,
Welcome to the Auth0 Community!
Yes, this is correct. 
That is not necessarily the case since you can have your APIs authorized for many registered M2M applications. For more information, refer to our Register Machine-to-Machine Applications documentation.
They would need to generate a new access token to make requests to your secondary API. The initial access token will not have access to make requests to your secondary API. So in this case, you would need to generate a new access token with the audience set to your secondary API’s identifier.
Thanks,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.