important
This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
Recommend access tokens using custom scopes for M2M
Status
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- Status:
- proposed
- Deciders:
- rishabhpoddar, porcellus
- Proposed by:
- porcellus
- Created:
- 2023-05-11
Context and Problem Statement#
We want to remove/simplify the M2M guide that uses the JWT recipe.
Considered Options#
- Keep recommending the JWT recipe
- Provide separate API for admin keys
- Recommend access tokens using custom scopes for M2M
Decision Outcome#
Chosen option: Recommend access tokens using custom scopes for M2M
- Fits the client credential flow of OAuth2 well.
- Doesn't require a separate/dedicated recipe for M2M.
- Doesn't require a separate guide.
Some further details:
- Our customers will still be able to add and share client credentials with/for their clients. Using this, M2M can be done using the client credentials flow.
- By adding the recommendation to create a long lived access token we hope to make it easier to use ("just add it as a Bearer token", essentially making this into a simple API key) for the client.
- If this method is used, these tokens should be considered opaque and validated using the token verification endpoint exposed by the core.