The Machine to Machine trigger runs when an is being issued via the Client Credentials Flow.
Diagram showing the Actions Machine to Machine Flow and when the triggers inside of it run.
Actions in this flow are blocking (synchronous), which means they execute as part of a trigger’s process and will prevent the rest of the Auth0 pipeline from running until the Action is complete.

Triggers

M2M / Client Credentials

The credentials-exchange trigger is a function executed before the access token is returned.

References

  • Event object: Provides contextual information about the request for a client credentials exchange.
  • API object: Provides methods for changing the behavior of the flow.

Common use cases

Access control

A credentials-exchange Action can be used to deny an access token based on custom logic. 
/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.request.geoip.continentCode === "NA") {
    api.access.deny('invalid_request', "Access from North America is not allowed.");
  }
};

Add custom claims to the access token

A credentials-exchange Action can be used to add custom claims to an access token. 
/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  api.accessToken.setCustomClaim("https://my-api.exampleco.com/request-ip", event.request.ip);  
};
We strong recommend using namespaced custom claim in the form of a URI. To learn more about namespaced and non-namespaced custom claims, read Create Custom Claims.