Calling APIs from a Service
The OAuth 2.0 grant that machine-to-machine interfaces utilize in order to access an API, is the Client Credentials Grant. In this document we will see how this flow works.
Overview of the flow
With Client Credentials Grant (defined in RFC 6749, section 4.4) a Non Interactive Client (a CLI, a daemon, or a Service running on your backend), can directly ask Auth0 for an
access_token, by using its Client Credentials (Client Id and Client Secret) to authenticate. In this case the token represents the Non Interactive Client itself, instead of an end user.
The application authenticates with Auth0 using its Client Id and Client Secret.
Auth0 validates this information and returns an
The application can use the
access_tokento call the API on behalf of itself.
How to implement the flow
For details on how to implement this using Auth0, refer to Execute a Client Credentials Grant. Before you do so, you have to set up the Grant first either using the Dashboard or using the Management API.