Machine Authentication

Machine authentication (often referred to as "machine-to-machine", or "M2M" authentication) is a way to authenticate machines, such as servers, applications, and devices, to ensure that they are who they say they are. This is in contrast to user authentication, which verifies the identity of a human user. Clerk currently supports two types of machine authentication tokens, with plans to add a third in the near future:

• OAuth access tokens
• M2M (machine-to-machine) tokens
• API keys (not yet supported - get notified when it's available⁠)

OAuth access tokens

OAuth⁠ is a widely adopted standard designed to provide a secure way for users to grant third-party applications limited access to their data and resources without providing their login credentials directly. While OAuth includes several different flows that serve different purposes, Clerk primarily supports the authorization code flow, which returns an access token that can be used by a machine to authenticate requests to Clerk's API on behalf of a user.

To learn more about machine authentication with OAuth access tokens, see the OAuth scoped access and OAuth token verification guides.

If you are looking for support for the OAuth client credentials flow⁠, Clerk does not yet support it, but we are aiming to add support for it in the near future. Add your feedback and get notified when it's available here⁠.

M2M tokens

If your goal is to authenticate requests made between several different services within your own infrastructure, this is the intended use case for Clerk's M2M tokens feature. With this feature, you can create machines, dictate which machines are allowed to communicate with each other, and create tokens that can be used to authenticate requests between these machines.

To learn more about machine authentication with M2M tokens, see the M2M tokens guide.

API keys

If you'd like for your application's users to be able to create API keys that can delegate access to your application's API on their behalf, this is the intended use case for Clerk's API keys feature. With this feature, you will be able to allow users to create API keys directly through the <UserProfile /> component

, or create your own UI for API keys via custom hooks. It will also be simple to verify API keys on your backend using Clerk's SDKs, and you or your users will be able to instantly revoke API keys at any time.

We haven't released API key support yet, but we're working hard on it and hoping to have it available soon. If you're interested in early access, or being notified when it's available, please add your feedback here⁠.