Calling APIs from a Service

Heads up! As part of our efforts to improve security and standards-based interoperability, we have implemented several new features in our authentication flows and made changes to existing ones. For an overview of these changes, and details on how you adopt them, refer to Introducing OIDC Conformant Authentication.

The OAuth 2.0 grant that machine to machine interfaces utilize in order to access an API, is the Client Credentials Grant. In this document we will see how this flow works.

If you need a refresher on the OAuth 2.0 protocol, you can go through our OAuth 2.0 article.

Overview of the flow

With the Client Credentials Grant (defined in RFC 6749, section 4.4) a Machine to Machine Client (a CLI, a daemon, or a Service running on your backend), can directly ask Auth0 for an Access Token, by using its client credentials (Client Id and Client Secret) to authenticate. In this case the token represents the client itself, instead of an end user.

Client Credentials Grant Flow

  1. The application authenticates with Auth0 using its Client Id and Client Secret.

  2. Auth0 validates this information and returns an Access Token.

  3. The application can use the Access Token to call the API on behalf of itself.

In OAuth 2.0 terms, the non interactive app is the Client, the end user the Resource Owner, the API the Resource Server, the browser the User Agent, and Auth0 the Authorization Server.

How to implement the flow

For details on how to implement this using Auth0, refer to Execute a Client Credentials Grant. Before you do so, you have to set up the Grant first either using the Dashboard or using the Management API.

Keep reading