Calling APIs from a Service

Heads up! As part of our efforts to improve security and standards-based interoperability, we have implemented several new features in our authentication flows and made changes to existing ones. For an overview of these changes, and details on how you adopt them, refer to Introducing OIDC Conformant Authentication.

The OAuth 2.0 grant that machine-to-machine interfaces utilize in order to access an API, is the Client Credentials Grant. In this document we will see how this flow works.

If you need a refresher on the OAuth 2.0 protocol, you can go through our OAuth 2.0 article.

Overview of the flow

With Client Credentials Grant (defined in RFC 6749, section 4.4) a Non Interactive Client (a CLI, a daemon, or a Service running on your backend), can directly ask Auth0 for an access_token, by using its Client Credentials (Client Id and Client Secret) to authenticate. In this case the token represents the Non Interactive Client itself, instead of an end user.

Client Credentials Grant Flow

  1. The application authenticates with Auth0 using its Client Id and Client Secret.

  2. Auth0 validates this information and returns an access_token.

  3. The application can use the access_token to call the API on behalf of itself.

In OAuth 2.0 terms, the non interactive app is the Client, the end user the Resource Owner, the API the Resource Server, the browser the User Agent, and Auth0 the Authorization Server.

How to implement the flow

For details on how to implement this using Auth0, refer to Execute a Client Credentials Grant. Before you do so, you have to set up the Grant first either using the Dashboard or using the Management API.

Keep reading