Docs

Mitigate replay attacks when using the Implicit Flow

Validate an Access Token

How to implement the Implicit Grant

Client Credentials Flow

With machine-to-machine (M2M) applications, such as CLIs, daemons, or services running on your back-end, the system authenticates and authorizes the app rather than a user. For this scenario, typical authentication schemes like username + password or social logins don't make sense. Instead, M2M apps use the Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4), in which they pass along their Client ID and Client Secret to authenticate themselves and get a token.

Generate a cryptographically random nonce

Opaque Access Tokens

1. Get the User's Authorization

How it works

Client Credentials Flow Authentication Sequence

  1. Your app authenticates with the Auth0 Authorization Server using its Client ID and Client Secret (/oauth/token endpoint).
  2. Your Auth0 Authorization Server validates the Client ID and Client Secret.
  3. Your Auth0 Authorization Server responds with an Access Token.
  4. Your application can use the Access Token to call an API on behalf of itself.
  5. The API responds with requested data.

Persist nonces across requests

JSON Web Token (JWT) Access Tokens

2. Extract the Access Token

How to implement it

The easiest way to implement the Client Credentials Flow is to follow our Backend Quickstarts.

You can also follow our tutorial to use our API endpoints to Call Your API Using the Client Credentials Flow.

Validate the ID Token

Auth0 Management API Access Tokens

3. Call the API

Keep reading