Set up a Client Credentials Grant using the Dashboard

Heads up! As part of our efforts to improve security and standards-based interoperability, we have implemented several new features in our authentication flows and made changes to existing ones. For an overview of these changes, and details on how you adopt them, refer to Introducing OIDC Conformant Authentication.

  1. Open the Auth0 Management Dashboard and browse to the Applications section.

  2. Click on Create Application to begin creating a new application (if you have multiple applications needing access to the API, you'll need to create an Auth0 app for each). You'll be asked what type of application you'd like to create, so select Machine to Machine Application. Click Create to proceed.

Create an Application

  1. Navigate to the API section and create a new API.

Enter a friendly name and an identifier. Ideally, this identifier should be the public endpoint of the API, but any valid URN is acceptable. This API will be represented by your Resource Server.

The selection of the Signing Algorithm will dictate how the API will validate the Access Tokens it receives:

Create an API

There will already be an Auth0 Management API that represents Auth0's APIv2. You can authorize applications to request tokens from this API as well.

  1. (Optional) Define some scopes by browsing to the Scopes tab. A scope is a claim that may be issued as part of the Access Token. With this information, the API can enforce fine-grained authorization.

Define Scopes

  1. Authorize a consumer application. Under the Machine to Machine Application tab, you can authorize your applications that will be the consumers of the API. This will create a client grant for each application and will allow you to generate Access Tokens for these applications to call your API. Optionally, you can select a subset of scopes to be granted to this application as part of the Access Token. Scopes allow the API to enforce fine-grained authorization.

Authorize the Application

  1. Setup your API to accept Access Tokens. The Quickstart tab provides you with code snippets for different languages and will guide you through bootstrapping your API, depending on the selected Signing Algorithm.

Keep reading