Machine-to-Machine (M2M)
This documentation explains the steps your service client (machine) must take to obtain an Access Token from Auth0 and use it to securely call our API. This flow is standard for Machine-to-Machine (M2M) communication, also known as the Client Credentials Grant flow.
Token Management
Cache tokens: Store valid tokens to avoid unnecessary requests to the token endpoint.
Handle expiration: Implement automatic token renewal before the token expires to maintain seamless service.
Token Expiration: Token expires after 1 hour, feel free to refresh it every 55 minutes
Error handling: Handle 401 responses by refreshing the token and retrying the original request.
Why We Use a Dedicated Auth0 Server
To ensure the highest level of security and reliability for your application, we follow industry best practices by relying on a dedicated, third-party Auth0 server to handle all authentication and token exchange.
This architecture ensures your confidential client_secret is never exposed to or processed by our primary API servers, minimizing the security risk.
Our API's sole function is to validate the Access Token provided by Auth0 and serve your requested data, allowing us to maintain architectural clarity, enhanced stability, and compliance with modern security standards.
1. Prerequisites: Obtain Client Credentials
To begin the authentication process, you must first create a Client in your console. Upon creation, you will receive two critical pieces of information.
In the console go to Clients -> Create Client
Treat both as secrets; they should never be exposed in client-side code (e.g., a browser or mobile app).
- Client ID A public identifier for your application.
- Client Secret A confidential secret used to authenticate your application.
2. Request an access token
See the Access Token Page