Machine to Machine Triggers
The Machine to Machine trigger runs when an Access Token is being issued via the Client Credentials Flow.
Actions in this flow are blocking (synchronous), which means they execute as part of a trigger's process and will prevent the rest of the Auth0 pipeline from running until the Action is complete.
Triggers
M2M / Client Credentials
The credentials-exchange trigger is a function executed before the access token is returned.
References
Event object: Provides contextual information about the request for a client credentials exchange.
API object: Provides methods for changing the behavior of the flow.
Common use cases
Access control
A credentials-exchange Action can be used to deny an access token based on custom logic.
/**
* @param {Event} event - Details about client credentials grant request.
* @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
*/
exports.onExecuteCredentialsExchange = async (event, api) => {
if (event.request.geoip.continentCode === "NA") {
api.access.deny('invalid_request', "Access from North America is not allowed.");
}
};Was this helpful?
Add custom claims to the access token
A credentials-exchange Action can be used to add custom claims to an access token.
/**
* @param {Event} event - Details about client credentials grant request.
* @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
*/
exports.onExecuteCredentialsExchange = async (event, api) => {
api.accessToken.setCustomClaim("https://my-api.exampleco.com/request-ip", event.request.ip);
};Was this helpful?
We strong recommend using namespaced custom claim in the form of a URI. To learn more about namespaced and non-namespaced custom claims, read Create Custom Claims.