Machine Authentication

Machines use the Client Credentials flow to obtain access tokens.

Machine-to-machine (M2M) authentication is essential when non-human identities, such as microservices, APIs, or AI systems, need to interact securely without human intervention. Examples include service-to-service communication in distributed systems or enabling backend systems to access cloud resources. With the rise of AI and automation, more systems are relying on M2M authentication to handle complex, large-scale interactions independently.


Client Credentials Flow for Authenticating

M2M clients in Wristband use the Client Credentials flow, a grant type specifically designed for scenarios where machines authenticate. Since there's no user interaction, the client (machine) authenticates directly with Wristband by providing its client ID and secret.

To gain access to resources, your server will make requests to Wristband's Token Endpoint and supply the client ID and secret. Wristband then returns an access token, which can be used to authenticate API calls or resource requests.

M2M Authentication

M2M Token Management

No Refresh Tokens

Unlike human-user authentication, where refresh tokens are used to renew access, M2M clients do not use refresh tokens. Instead, when the access token expires, the M2M client simply re-authenticates by providing its client ID and secret again. This reduces complexity in managing token lifecycles for machines and ensures they can always obtain new tokens without extra steps.

Configuring Token Expiration

Wristband allows you to configure the expiration time of access tokens for M2M clients. This flexibility lets you balance between security and convenience. Shorter token lifetimes increase security by limiting the exposure of access tokens, while longer lifetimes reduce the frequency of re-authentication for clients that need continuous access to resources.


Client Secret Rotation

Client secrets can be rotated to improve security, especially if a secret is compromised or outdated. You can maintain both a primary and secondary secret, which ensures seamless transitions between credentials during rotation. The secondary secret can be safely deleted once the rotation is complete. Regularly rotating client secrets reduces the risk of unauthorized access and keeps your authentication system resilient.


Role-Based Access Control

Roles can be assigned to M2M clients, much like they are for human users. This allows for fine-grained access control, where each client can be restricted to specific resources, operations, or data. By aligning client roles with your application's security policies, you can ensure that each machine only has access to the precise resources it needs, increasing security and operational control.