Calling APIs from a Service
The OAuth 2.0 grant that machine-to-machine interfaces utilize in order to access an API, is the Client Credentials Grant. In this document we will see how this flow works.
Overview of the flow
With Client Credentials Grant (defined in RFC 6749, section 4.4) a Non Interactive Client (a CLI, a daemon, or a Service running on your backend), can directly ask Auth0 for an
access_token, by using its Client Credentials (Client Id and Client Secret) to authenticate. In this case the token represents the Non Interactive Client itself, instead of an end user.
The application authenticates with Auth0 using its Client Id and Client Secret.
Auth0 validates this information and returns an
The application can use the
access_tokento call the API on behalf of itself.
NOTE: In OAuth 2.0 terms, the non interactive app is the Client, the end user the Resource Owner, the API the Resource Server, the browser the User Agent, and Auth0 the Authorization Server.
How to implement the flow
For details on how to implement this using Auth0, refer to Execute a Client Credentials Grant. Before you do so, you have to set up the Grant first either using the Dashboard or using the Management API.
- How to implement a Client Credentials flow
- How to configure an API in Auth0
- How to set up a Client Credentials Grant using the Dashboard
- How to set up a Client Credentials Grant using the Management API
- How to change the scopes and add custom claims to the tokens using Hooks.
- Backend Quickstarts
- Authentication API: POST /oauth/token
- The OAuth 2.0 protocol
- The OpenID Connect protocol
- Tokens used by Auth0
- RFC 6749: The OAuth 2.0 Authorization Framework