M2M apps scoped to organizations
Machine-to-Machine (M2M)
Here are short answers to the most common M2M questions. Click any question to expand the answer.
M2M authentication is designed for servers, APIs, and automated systems that need to communicate securely without human intervention. Unlike regular user auth where someone signs in with a password or social login, M2M uses the client credentials flow - your application authenticates using a client ID and secret to get an access token. Think of it like having a service account that can access your APIs 24/7 without anyone needing to sign in. This is perfect for microservices, background jobs, or third-party integrations that need to access your Kinde-protected resources.
Setting up M2M is straightforward - create a new application in your Kinde dashboard and select “Machine to machine” as the type. You’ll get a client ID and client secret (treat secrets as highly sensitive). The key difference from regular apps is that M2M applications don’t need callback URLs since there’s no user redirect flow. You will need to specify which APIs this M2M app can access and what scopes it needs. Start with minimal permissions and expand as needed - it’s easier to add permissions than to figure out why something has too much access.
Never, ever put M2M credentials directly in your code or version control - that’s like posting your house keys on social media. Use environment variables and a secrets manager (AWS Secrets Manager, Azure Key Vault, Google Secret Manager) or your platform’s secure configuration system. Rotate your client secrets regularly, especially if you suspect they might have been exposed. Consider using different M2M applications for different environments (development, staging, production) so a compromise in one doesn’t affect others.
Follow the principle of least privilege - create separate M2M applications for different services or use cases. Your email service might only need read access to user profiles, while your analytics service needs broader access to usage data. This compartmentalization means if one service gets compromised, the blast radius is limited. It also makes debugging easier when you can trace API calls back to specific applications. The slight overhead of managing multiple M2M apps is worth the security and operational benefits.
M2M access tokens expire (usually after an hour), so your application needs to handle token refresh gracefully. Most Kinde SDKs handle this automatically, but if you’re doing it manually, implement retry logic that gets a fresh token when you receive 401 responses. Cache tokens in memory and refresh proactively before expiry. For high-traffic systems, use a short-lived, in-memory cache per host/process to reduce token requests. Do not share tokens across services or persist them.
It depends on what your M2M application needs to do. For basic user management, you might need read:users
and write:users
. For organization management, add read:organizations
and write:organizations
. If you’re syncing billing data, include relevant billing scopes. Here’s the thing - start narrow and expand permissions as needed. It’s much easier to debug “permission denied” errors than to figure out why an M2M app has access to everything. Check the Kinde Management API docs for the complete scope list and map them to your actual business needs.
Respect the rate limits and implement exponential backoff when you hit them. Batch your API calls when possible instead of making hundreds of individual requests. For high-volume operations like user imports, use bulk endpoints if available or spread the work over time. Cache data that doesn’t change frequently - you probably don’t need to fetch the same user profile 50 times per minute. If you’re consistently hitting limits, it might be time to optimize your integration or contact Kinde about higher limits.
Always check HTTP status codes before processing response data – a 200 means success, anything else needs error handling. Parse the JSON response carefully and handle cases where expected fields might be missing. For paginated responses, implement proper pagination logic rather than just grabbing the first page. Log API responses (but never log credentials or tokens) for debugging purposes, and implement idempotent operations where possible so retrying failed requests doesn’t cause duplicate data. Troubleshoot M2M token errors
Use separate M2M applications for development and production environments - this keeps your test data completely isolated. Create test organizations and users that you can safely experiment with. Set up your CI/CD pipeline to use development M2M credentials for automated testing. Mock the Kinde API responses in your unit tests rather than making real API calls every time. And please, test your error handling scenarios - what happens when the API is down or returns unexpected responses?
Each microservice should have its own M2M application with only the permissions it needs - this follows the principle of least privilege and makes security auditing much easier. Consider creating a shared authentication service that handles token management for all your microservices, or use a service mesh that can inject tokens automatically. Don’t pass M2M tokens between services - each service should authenticate directly with Kinde. This prevents token leakage and makes it easier to track which service is making which API calls.
Use webhooks for real-time updates when users change their profiles or organizations, then use M2M API calls to fetch detailed data when needed. Don’t try to keep a complete mirror of Kinde data in your system - it’s better to cache frequently accessed information and fetch fresh data for important operations. Implement proper error handling for sync operations, and consider implementing eventual consistency patterns where slight delays are acceptable.
M2M is perfect for automated organization provisioning when new customers sign up. You can create organizations, set up initial users, configure permissions, and even assign billing plans all through the Management API. Use consistent naming conventions for organizations (maybe map them to your internal customer IDs) and store the Kinde organization ID in your customer records for easy lookup. This automation means new customers can start using your product immediately without manual setup steps.
Set up M2M applications that can create users, assign them to organizations, and configure their initial permissions based on your business logic. This is particularly useful for enterprise customers who need automated onboarding from their HR systems or directory services. You can trigger these workflows from webhooks, scheduled jobs, or API events from other systems. Just make sure to handle edge cases like duplicate email addresses or organization limits gracefully.
Check the obvious stuff first - are you using the right client ID and secret for your production environment? M2M credentials are environment-specific, so development credentials won’t work in production. Look at the exact error message: “invalid_client” usually means wrong credentials, while “insufficient_scope” means you’re trying to access APIs without the right permissions. If tokens were working before but suddenly stopped, check if credentials were rotated or if API scopes changed.
Implement proper logging that captures request/response times, error rates, and token refresh patterns. Monitor for increasing latency or higher error rates - these often signal capacity issues or misconfigurations. Use correlation IDs in your logs so you can trace requests across multiple services. Set up alerts for authentication failures or unusual API usage patterns. The Kinde dashboard shows some usage metrics, but you’ll want your own monitoring for production applications.
First, optimize your current usage - are you making unnecessary API calls or missing opportunities to batch requests? Cache data that doesn’t change frequently and implement proper pagination for large datasets. If you’ve optimized everything and still need higher limits, document your use case and expected traffic patterns when contacting Kinde support. They’ll want to understand your business needs and ensure the higher limits won’t impact system performance for other customers.
Network issues happen, so build resilience into your M2M integrations. Implement exponential backoff with jitter for retries, set reasonable timeouts on API calls, and have circuit breaker patterns for critical paths. Log failures with enough context to debug later, but don’t spam your logs with retry attempts. For non-critical operations, consider using message queues so failed operations can be retried later without blocking your main application flow.
M2M is perfect for automating the boring stuff - creating accounts when customers sign up through your sales process, deactivating users when they leave companies, or updating permissions based on role changes. Set up webhooks to trigger these workflows, then use M2M API calls to make the actual changes in Kinde. You can even automate organization setup for enterprise customers, complete with custom authentication requirements and user provisioning. Just make sure you have proper audit logging for compliance purposes.
Serverless functions are actually perfect for M2M since you don’t need to worry about long-lived token storage. Get a fresh token at the start of each function execution - the overhead is minimal and it’s more secure than trying to cache tokens across function invocations. For background jobs, implement token caching with proper expiration handling. Remember that cold starts might affect initial authentication performance, so consider warming up critical functions if latency matters.
Design your sync jobs to be idempotent - running them multiple times should produce the same result without creating duplicates. Use the Management API to query for changes since your last sync, then update your systems accordingly. Implement proper error handling and retry logic since network issues happen. Consider using message queues or event streams for real-time sync requirements. And always, always test your sync logic with large datasets before going live - edge cases love to hide in bulk operations.
M2M applications are excellent for automated compliance workflows - you can programmatically generate user access reports, audit permission changes, or automatically revoke access for inactive accounts. Use the Management API to query user activities and organization changes, then format this data for compliance reporting. Set up scheduled jobs that check for policy violations or unusual access patterns. Remember to log all M2M operations for your own audit trail - knowing which automated system made which changes is crucial for compliance.