Client Credentials Grant Requires "audience" Parameter

Machine To Machine
Sep 10, 2025
Overview

A default audience for a tenant was configured by following API Authorization Settings.

However, for the Machine-to-Machine (M2M) client and the client_credentials grant_type, the default audience is not being applied to the request.

When the audience is omitted from the request, an opaque token is received:

{
"access_token": "gh..redacted",
"expires_in": 86400,
"token_type": "Bearer"
}

This results in a problem with a third party integration. 

 

Applies To
  • Client Credential Flow
  • Machine-to-Machine (M2M) Client
  • Audience Parameter
Solution

The client should be non-global and the allow_api1_non_global_clients flag has to be false for the default tenant audience to work for the client credentials flow.

Some public/private cloud tenants may currently have this flag set to true. As long as Management API v1 is not being used, this flag can be set to false. Contact Auth0 Support for assistance in updating this flag. Once this flag is set to false, the default audience will work with the client credentials flow.

 

Related References

 

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community