Machine to Machine Applications

You can use machine-to-machine applications when you want to invoke an API using a non-interactive application, such as a service, command line tool, or IoT device using the OAuth 2.0 Client Credentials Grant.

Create a new Machine to Machine Application

To create a new Machine to Machine Application:

  1. Log in to the Dashboard and navigate to Applications.

  2. Click Create Application. When asked what type of application you'd like to create, select Machine to Machine Application. Click Create to proceed.

Create an Application

  1. Select the API you want to call from the application.

If you haven't created an API yet, learn how to configure an API in Auth0.

There will already be an Auth0 Management API that represents Auth0's APIv2. You can authorize applications to request tokens from this API.

Select an API

  1. Select the scopes you want to grant to the Machine to Machine Application.

A scope is a claim that may be issued as part of the Access Token. With this information, the API can enforce fine-grained authorization. You can define scopes in the API's scopes tab.

Select Scopes

At this point, you're ready to call your API using the Machine to Machine Application.The Quick Start tab will show you how you can call your API using technologies.

M2M Quickstarts

To learn how to accept and validate Access Tokens in your API implementation, see the Backend Quickstarts.

Settings

The Settings tab lets you edit different application settings:

  • Name: The name of your application. This information is editable and you will see in the portal, emails, logs, and so on.

  • Domain: Your Auth0 tenant name. Note that the domain name is chosen when you create a new Auth0 tenant and cannot be changed. If you need a different one you have to register for a new tenant by selecting + Create Tenant in the top right menu.

  • Client ID: The unique identifier for your application. This is the ID you will use with when configuring authentication with Auth0. It is generated by the system when you create a new application and it cannot be modified.

  • Client Secret: A string used to sign and validate ID Tokens for authentication flows and to gain access to select Auth0 API endpoints. By default, the value is hidden, so check the Reveal Client Secret box to see this value.

    While the Client ID is considered public information, the Client Secret must be kept confidential. If anyone can access your Client Secret they can issue tokens and access resources they shouldn't.

  • Description: A free-text description of the Application's purpose with a maximum of 140 characters.

  • Application Logo: The URL to a logo (recommended size: 150x150 pixels) to be displayed for the application. This will appear in several areas, including the list of applications in the Dashboard, as well as things like customized consent forms.

  • Application Type: The type of application you are implementing. Select Machine to Machine Application.
  • Token Endpoint Authentication Method: Defines the requested authentication method for the token endpoint. Possible values are None (public client without a client secret), Post (client uses HTTP POST parameters) or Basic (client uses HTTP Basic).

You can provide up to 100 URLs in the Allowed Callback URLs, Allowed Web Origins, Allowed Logout URLs, Allowed Origins (CORS) fields.

  • Allowed Callback URLs: Set of URLs to which Auth0 is allowed to redirect the users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard for subdomains (*.google.com). Make sure to specify the protocol, http:// or https://, otherwise the callback may fail in some cases.

  • Allowed Web Origins: List of URLs from where an authorization request, using web_message as the response mode, can originate from. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost.

  • Allowed Logout URLs: After a user logs out from Auth0 you can redirect them with the returnTo query parameter. The URL that you use in returnTo must be listed here. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard for subdomains (*.google.com). Notice that querystrings and hash information are not taken into account when validating these URLs. Read more about this at: Logout.

  • Allowed Origins (CORS): Set of URLs that will be allowed to make requests from JavaScript to Auth0 API (typically used with CORS). This prevents same-origin policy errors when using Auth0 from within a web browser. By default, all your callback URLs will be allowed. This field allows you to enter other origins if you need to. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard for subdomains (*.google.com). Notice that paths, querystrings and hash information are not taken into account when validating these URLs (and may, in fact, cause the match to fail).

  • JWT Expiration (seconds): The amount of time (in seconds) before the Auth0 ID Token expires. The default value is 36000, which maps to 10 hours.

  • Use Auth0 instead of the IdP to do Single Sign On: If enabled, this setting prevents Auth0 from redirecting authenticated users with valid sessions to the identity provider (such as Facebook, ADFS, and so on).

Application Settings Page

Advanced Settings

The Advanced Settings section allows you to:

  • Manage or add Application Metadata, Mobile, OAuth, and WS-Federation settings
  • Obtain certificates and token endpoint information
  • Set the grant type(s) for the Application

Advanced Application Settings Page

Application Metadata

Application metadata are custom string keys and values (each of which has a character maximum of 255), set on a per application basis. Metadata is exposed in the Application object as client_metadata, and in Rules as context.clientMetadata

You can create up to 10 sets of metadata.

OAuth

Set the OAuth-related settings on this tab:

  • By default, all apps/APIs can make a delegation request, but if you want to explicitly grant permissions to selected apps/APIs, you can do so in Allowed APPs/APIs.

  • Set the algorithm used (HS256 or RS256) for signing your JSON Web Tokens.

  • Toggle the switch to indicate if your application is OIDC Conformant or not.

  • Toggle the Trust Token Endpoint IP Header setting; if this is enabled, the auth0-forwarded-for is set as trusted and used as a source of end user IP information for protection against brute-force attacks on the token endpoint.

APIs

The APIs tab:

  • Lists all available APIs for the tenant
  • Shows the ones that the Machine to Machine Application is authorized to call
  • Lets you authorize additional APIs

M2M APIs

For example, you can authorize the same Machine to Machine Application to call both your own API and the Auth0 Management API.

Customers can see their Machine to Machine usage report in the Support Center. Please note that this is not a user count, but the number of Access Tokens issued by Auth0 for the Client Credentials grant per calendar month for a given tenant.