Machine-to-Machine (M2M)

2 min read·Updated Apr 29, 2026

M2M authentication is for servers, jobs, and services that need to call your API without a human user. Authaz issues access tokens through the standard OAuth 2.0 client credentials grant — no Universal Login, no redirects, just a client_id and client_secret exchange.

# Get an access token for a service
curl -X POST "https://your-app.authaz.io/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=invoices:read"

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "invoices:read"

Previous: SAML SSO
Next: API Keys

curl -X PUT https://your-app.authaz.io/api/v1/applications/{appId}/auth/m2m \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": true,
    "defaultTokenLifetimeSeconds": 3600
  }'

curl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/m2m/credentials \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "billing-job",
    "scopes": ["invoices:read", "invoices:create"],
    "expiresAt": "2027-01-01T00:00:00Z"
  }'

{
  "id": "cred_01h...",
  "clientId": "01h8...",
  "clientSecret": "secret_xxxxxxxxxxxx...",
  "name": "billing-job",
  "scopes": ["invoices:read", "invoices:create"],
  "expiresAt": "2027-01-01T00:00:00Z"
}

const cached = { token: null, expiresAt: 0 };
 
const getToken = async () => {
  if (cached.token && Date.now() < cached.expiresAt - 5 * 60_000) {
    return cached.token;
  }
 
  const res = await fetch("https://your-app.authaz.io/oauth2/token", {
    method: "POST",
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body: new URLSearchParams({
      grant_type: "client_credentials",
      client_id: process.env.AUTHAZ_CLIENT_ID!,
      client_secret: process.env.AUTHAZ_CLIENT_SECRET!,
      scope: "invoices:read invoices:create",
    }),
  });
 
  const json = await res.json();
  cached.token = json.access_token;
  cached.expiresAt = Date.now() + json.expires_in * 1000;
  return cached.token;
};

# Give the credential a role
curl -X POST https://your-app.authaz.io/api/v1/role-assignments \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "subjectType": "credential",
    "subjectId": "cred_01h...",
    "roleId": "role_billing_writer"
  }'

curl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/m2m/credentials/{credId}/jwks \
  -H "X-API-Key: $AUTHAZ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "keys": [{
      "kty": "RSA",
      "kid": "key-1",
      "use": "sig",
      "alg": "RS256",
      "n": "...",
      "e": "AQAB"
    }]
  }'

import { SignJWT } from "jose";
 
const assertion = await new SignJWT({})
  .setProtectedHeader({ alg: "RS256", kid: "key-1" })
  .setIssuer(clientId)
  .setSubject(clientId)
  .setAudience("https://your-app.authaz.io/oauth2/token")
  .setExpirationTime("2m")
  .setJti(crypto.randomUUID())
  .sign(privateKey);
 
const res = await fetch("https://your-app.authaz.io/oauth2/token", {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body: new URLSearchParams({
    grant_type: "client_credentials",
    client_id: clientId,
    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
    client_assertion: assertion,
    scope: "invoices:read",
  }),
});

Machine-to-Machine (M2M)

Setup#

1. Enable M2M#

2. Create a credential#

3. Use it from the service#

Permissions and scopes#

High-security: `private_key_jwt`#

1. Generate an RSA keypair#

2. Upload the public key as JWKS#

3. Mint and exchange a JWT#

Rotating secrets#

Revoking immediately#

Next steps#