Machine to Machine Flow

The Machine to Machine Flow runs when an Access Token is being issued via the Client Credentials Flow.

Diagram showing the Actions Machine to Machine Flow and when the triggers inside of it run.

Actions in this flow are blocking (synchronous), which means they execute as part of a trigger's process and will prevent the rest of the Auth0 pipeline from running until the Action is complete.

Triggers

M2M / Client Credentials

The credentials-exchange trigger is a function executed before the access token is returned.

References

  • Event object: Provides contextual information about the request for a client credentials exchange.

  • API object: Provides methods for changing the behavior of the flow

Common use cases

Access control

A credentials-exchange Action can be used to deny an access token based on custom logic.

/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.request.geoip.continentCode === "NA") {
    api.access.deny('invalid_request', "Access from North America is not allowed.");
  }
};

Was this helpful?

/

Add custom claims to the access token

A credentials-exchange Action can be used to add custom claims to an access token.

/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  api.accessToken.setCustomClaim("https://my-api.exampleco.com/request-ip", event.request.ip);  
};

Was this helpful?

/