Why You Should Always Use Access Tokens to Secure APIs
Set up a Client Credentials Grant using the Management API
Auth0 lets you authorize applications that have the 'Client Credentials' grant type enabled to call APIs using the Client Credentials Flow.
By default, all Machine-to-Machine Applications and Regular Web Applications have the 'Client Credentials' grant enabled, but they are not authorized to call any API.
If you want to call an API from these applications, you first need to authorize the application to call the API and specify the JSON Web Token (JWT)scopes that will be granted. You can do that using the Dashboard, or follow the steps below to use the API.
You will need the following:
A Management API scopesAccess Token with the
create:client_grantsscopes. For details on how to get one, refer to Access Tokens for the Management API.
The application information (
Client_Secret) for the application you want to authorize Auth0 dashboard.
The API identifier for the API you want to invoke (https://manage.auth0.com/#/apis).
To authorize your Application, send a
POST request to the /client-grants endpoint of the Management APIv2 with the Management API Access Token.
The following example authorizes the application with Id
YOUR_CLIENT_ID, to access the API with Identifier
https://my-api-urn, while granting the scope
That's it, you are done! Now that all the elements are in place, you can request Access Tokens for your API from Auth0 using the Client Credentials Flow.