Why You Should Always Use Access Tokens to Secure APIs

Set up a Client Credentials Grant using the Management API

Auth0 lets you authorize applications that have the 'Client Credentials' grant type enabled to call APIs using the Client Credentials Flow.

By default, all Machine-to-Machine Applications and Regular Web Applications have the 'Client Credentials' grant enabled, but they are not authorized to call any API.

If you want to call an API from these applications, you first need to authorize the application to call the API and specify the JSON Web Token (JWT)scopes that will be granted. You can do that using the Dashboard, or follow the steps below to use the API.

You will need the following:

  • A Management API scopesAccess Token with the create:client_grants scopes. For details on how to get one, refer to Access Tokens for the Management API.

  • The application information (Client_Id and Client_Secret) for the application you want to authorize Auth0 dashboard.

  • The API identifier for the API you want to invoke (

Identity Tokens

Authorize the Application

To authorize your Application, send a POST request to the /client-grants endpoint of the Management APIv2 with the Management API Access Token.

The following example authorizes the application with Id YOUR_CLIENT_ID, to access the API with Identifier https://my-api-urn, while granting the scope sample-scope.

Sample response:

That's it, you are done! Now that all the elements are in place, you can request Access Tokens for your API from Auth0 using the Client Credentials Flow.

Access Tokens

Keep reading