Quick start
Machine-to-Machine (M2M)
This feature is available on the Kinde Plus and Scale plans
You can create machine-to-machine (M2M) applications in Kinde that are scoped to a specific organization. These applications are used to issue access tokens that are automatically restricted to that organization’s context, ensuring strong tenant isolation when calling Kinde’s APIs or your own.
Org-scoped apps use the same client credentials flow as other M2M apps, but the tokens they generate include the org_code
claim.
Use an org-scoped app when:
org_code
directly from the tokenTokens issued to an org-scoped app include trusted claims such as:
org_code
: the organization the token is scoped toscope
: the permissions granted to the token{ "org_code": "org_123", "scope": "read:users write:flags"}
These claims are enforced at token issuance time and cannot be modified by the caller.
Kinde generates a client_id
and client_secret
tied to the selected organization.
Use the credentials in a standard client credentials flow to request a token.
Use the credentials to authenticate using the client credentials flow. The resulting token will include the organization context automatically.
These claims can be used by your backend services to authorize access to specific APIs or resources.
Feature | Global M2M app | Org-scoped M2M app |
---|---|---|
Org context in token | No | Yes |
Tenant data isolation | Manual | Enforced |
Use case | Admin scripts, internal automation | Per-tenant agents, scoped APIs |
Token restrictions | None | Scoped to one org |
Token claims | Basic | Includes org_code |
client_id
and org_code
in logs.