Configure Your Application For M2M Access

After creating the application, configure it for machine-to-machine access by following these steps:

Define organization behavior for each API you need to access.
In cases where the application should only access specific organizations i.e. not all of them, Authorize M2M Access for each API you need to access for those specific organizations.

Define organization behavior

You can configure how your application uses Organizations during the Client Credentials Flow for each API, such as whether the application must use an organization or can access any organization or only explicitly associated ones.

The following table explains the fields for defining organization behavior for M2M access:

Define organization behavior table

Field Description API Mapping

Organization Support

Field	Description	API Mapping
Organization Support	Determines how this application may use organizations when accessing via the Client Credentials Flow. Options include: None: The application must not use organizations. This is the default value. Optional: The application may decide whether to use an organization. Required: The application must use an organization.	Organization Support maps to `organization_usage`. Options: None maps to `deny` Optional maps to `allow` Required maps to `required`
Allow machine-to-machine access to any organization	Determines whether this application can access any organization or is limited to a set of explicitly associated organizations when using the Client Credentials Flow. By default, this behavior is not allowed. Warning: Enabling machine-to-machine access to any organization allows the application to access any organization without it being explicitly associated. It should only be enabled for trusted internal applications.	Allow machine-to-machine access to any organization maps to `allow_any_organization`. Options: Checked maps to `true` Unchecked maps to `false`

Determines how this application may use organizations when accessing via the Client Credentials Flow.

Options include:

None: The application must not use organizations. This is the default value.
Optional: The application may decide whether to use an organization.
Required: The application must use an organization.

Organization Support maps to organization_usage.

Options:

None maps to deny
Optional maps to allow
Required maps to required

Allow machine-to-machine access to any organization

Determines whether this application can access any organization or is limited to a set of explicitly associated organizations when using the Client Credentials Flow. By default, this behavior is not allowed.

Warning: Enabling machine-to-machine access to any organization allows the application to access any organization without it being explicitly associated. It should only be enabled for trusted internal applications.

Allow machine-to-machine access to any organization maps to allow_any_organization.

Options:

Checked maps to true
Unchecked maps to false

Define organization behavior for an application

To define organization behavior for an application, use the Auth0 Dashboard or Management API.

For a machine-to-machine application, define organization behavior via the Auth0 Dashboard:

Navigate to Auth0 Dashboard > Applications, and select the application for which you want to configure Organizations.
Switch to the APIs tab and expand the client_grant details for the API you wish to configure access to.
Configure the appropriate settings as explained in the Define organization behavior table.
Select Save.

Alternatively, if it is not a machine-to-machine application:

Navigate to Auth0 Dashboard > APIs, and select the API for which you want to configure Organizations access.
Switch to the Machine To Machine Applications tab. It shows all applications, not just Machine-to-Machine applications. Locate your application.
To authorize access, click the toggle for your application. Then, click your application to expand the configuration details.
Configure the appropriate settings as explained in the Define organization behavior table.
Select Save.

You can also define organization behavior for an application using the Management API. The client_grant object controls your application’s access to an API, where you must configure the client_grant for each API your application needs to access. To configure the client_grant for M2M access, use the Create client grant or Update client grant endpoints and the Define organization behavior table to update the appropriate settings.

The following code sample creates a client_grant object with M2M access:

curl --request POST \
  --url 'https://{YOUR_DOMAIN}/api/v2/client-grants' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
    "client_id": "CLIENT_ID",
    "audience": "API_IDENTIFIER",
    "scope": [
        "scope1",
        "scope2"
    ],
    "organization_usage": "ORG_USAGE",
    "allow_any_organization": false
}'

Was this helpful?

The following code sample updates a client_grant object with M2M access:

curl --request PATCH \
  --url 'https://{YOUR_DOMAIN}/api/v2/client-grants/CLIENT_GRANT_ID' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
    "organization_usage": "ORG_USAGE",
    "allow_any_organization": false
}'

Was this helpful?

Set default organization

Some clients do not support non-standard fields in the Client Credentials Flow. Therefore, they cannot send the required organization parameter to the /oauth/token endpoint. For these clients, you can set a default organization that is automatically applied to any Client Credentials request from the application when none is specified and organization support is required by the API.

Default organization is applied when organization_usage=require for the API (i.e. target audience).

The following table explains the fields for setting a default organization for machine-to-machine access:

Set default organization table

Field	Description	API Mapping
Default Organization for Machine-to-Machine Access	Defines which organization to apply to Client Credentials requests that do not contain an organization	Default Organization for Machine-to-Machine Access maps to the default_organization object with the following properties: `organization_id`: The ID of the organization to use `flows`: The authentication flow to use for the default organization. This setting is hidden in the UI and defaults to `["client_credentials"]`

Set default organization for an application

To set the default organization for an application, use the Auth0 Dashboard or Management API.

To enable a default organization for an application via the Auth0 Dashboard:

Navigate to Auth0 Dashboard > Applications, and select the application for which you want to configure.
Select the Organizations tab.
Configure the appropriate settings as explained in the Set default organization table.
Click Save.

You can configure the default organization for an application via the Create a client or Update a client endpoints. The only currently supported flow value is client_credentials.

The following code sample updates a client with a default organization:

curl -X PATCH --location "https://{YOUR_DOMAIN}/api/v2/clients/{CLIENT_ID}" \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
          "default_organization": "ORGANIZATION_ID",
	   "flows": ["client_credentials"]
        }'

Was this helpful?

Manage Users

Configure Your Application For M2M Access

Define organization behavior

Define organization behavior table

Define organization behavior for an application

Set default organization

Set default organization table

Set default organization for an application