This documentation explains the steps your service client (machine) must take to obtain an Access Token from Auth0 and use it to securely call our API. This flow is standard for Machine-to-Machine (M2M) communication, also known as the Client Credentials Grant flow.

Token Management

Cache tokens: Store valid tokens to avoid unnecessary requests to the token endpoint.

Handle expiration: Implement automatic token renewal before the token expires to maintain seamless service.

Token Expiration: Token expires after 1 hour, feel free to refresh it every 55 minutes

Error handling: Handle 401 responses by refreshing the token and retrying the original request.

Why We Use a Dedicated OAuth Server

To ensure the highest level of security and reliability for your application, we follow industry best practices by relying on a dedicated, third-party OAuth server to handle all authentication and token exchange.

This architecture ensures your confidential client_secret is never exposed to or processed by our primary API servers, minimizing the security risk.

Our API's sole function is to validate the Access Token provided by OAuth and serve your requested data, allowing us to maintain architectural clarity, enhanced stability, and compliance with modern security standards.

1. Prerequisites: Obtain Client Credentials

To begin the authentication process, you must first create a Client in your console. Upon creation, you will receive two critical pieces of information.

In the console go to Clients -> Create Client

❗️
Treat both as secrets; they should never be exposed in client-side code (e.g., a browser or mobile app).

Client ID A public identifier for your application.
Client Secret A confidential secret used to authenticate your application.

2. Request an access token

See the Access Token Page