Machine to Machine (M2M)
Machines use the Client Credentials flow to obtain access tokens.
Machine-to-machine (M2M) authentication is essential when non-human identities, such as microservices, APIs, or AI agents, need to interact securely without human intervention. Examples include service-to-service communication in distributed systems or scheduled tasks that run autonomously in the background. With the rise of AI and automation, more systems rely on M2M authentication to handle complex operations independently.
Client Credentials Flow for Authenticating
M2M clients in Wristband use the OAuth 2 Client Credentials flow to authenticate themselves. Since there's no user interaction, the client (machine) authenticates directly with Wristband by providing its client ID and secret.
To start the authentication process, your server will call Wristband's Token Endpoint and supply its client ID and secret. Wristband then returns an access token to the client, which it can use in API calls to authenticate itself.
M2M Token Management
No Refresh Tokens
Unlike human-user authentication, where refresh tokens are used to renew access, M2M clients do not use refresh tokens. Instead, when the access token expires, the M2M client re-authenticates by providing its client ID and secret again. This reduces complexity in managing token lifecycles for machines and ensures they can always obtain new tokens.
Client Secret Rotation
Client secrets can be rotated to remove a secret that has been compromised or as part of a regular rotation schedule. You can maintain both a primary and secondary secret simultaneously, which ensures seamless transitions between credentials during rotation. The secondary secret can be safely deleted once the rotation is complete.
Role-Based Access Control
Roles can be assigned to M2M clients, much like they are for human users. This allows for fine-grained access control, where each client can be restricted to specific resources, operations, or data. By aligning client roles with your application's security policies, you can ensure that each machine only has access to the precise resources it needs, increasing security and operational control.
Updated 18 days ago