Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Recommend access tokens using custom scopes for M2M

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2023-05-11

Context and Problem Statement#

We want to remove/simplify the M2M guide that uses the JWT recipe.

Considered Options#

  • Keep recommending the JWT recipe
  • Provide separate API for admin keys
  • Recommend access tokens using custom scopes for M2M

Decision Outcome#

Chosen option: Recommend access tokens using custom scopes for M2M

  • Fits the client credential flow of OAuth2 well.
  • Doesn't require a separate/dedicated recipe for M2M.
  • Doesn't require a separate guide.

Some further details:

  • Our customers will still be able to add and share client credentials with/for their clients. Using this, M2M can be done using the client credentials flow.
  • By adding the recommendation to create a long lived access token we hope to make it easier to use ("just add it as a Bearer token", essentially making this into a simple API key) for the client.
  • If this method is used, these tokens should be considered opaque and validated using the token verification endpoint exposed by the core.

Pros and Cons of the Options#

Provide separate API for admin keys#

  • Self-explanatory API
  • Requires a dedicated recipe for M2M
  • Requires a dedicated validator for M2M
  • Makes it hard if an endpoint can be called by both another server (M2M) and FE clients
  • Recommend access tokens using custom scopes for M2M#

  • Fits the client credential flow of OAuth2 well
  • Easy to implement endpoints that can be called by both another server (M2M) and FE clients
  • Requires enabling OAuth2 even if it's not intended for end-users of the app
  • Requires more docs
  • Keep recommending the JWT recipe#

  • Already implemented
  • Requires a separate guide
  • Requires a separate type of token validation