Accessing AuthAction Management API with M2M Application

This guide explains how to access the AuthAction Management API using a Machine-to-Machine (M2M) application. Whether you’re building a backend service or a script that needs to manage users, roles, or other resources, this guide walks you through the setup and API calls.

When to Use M2M Applications

M2M applications are suitable when your service or script must access APIs securely without user interaction. This approach leverages the OAuth2 client credentials flow to obtain access tokens that can be used for authentication.

Setup Guide

Step 1: Create an M2M Application in AuthAction

1. Log in to your AuthAction dashboard.
2. Navigate to the Applications section.
3. Create a new application and select the type as Machine-to-Machine (M2M).
4. In the application’s APIServer tab, ensure you grant access to the AuthAction Management API.

Step 2: Retrieve API Credentials

After creating the application:

• Note down the Client ID and Client Secret for your M2M application.
• These credentials will be essential for obtaining access tokens.

Step 3: Obtain an Access Token

To access the Management API, you’ll need an access token via the client credentials flow. Here’s how you can do it:

API Endpoint

POST https://<tenant>.<region>.authaction.com/oauth2/m2m/token

Example Request (using curl)

curl --request POST \
  --url https://<tenant>.<region>.authaction.com/oauth2/m2m/token \
  --header 'content-type: application/json' \
  --data '{
    "client_id": "<YOUR_M2M_APP_CLIENT_ID>",
    "client_secret": "<YOUR_M2M_APP_CLIENT_SECRET>",
    "audience": "https://<tenant>.<region>.authaction.com",
    "grant_type": "client_credentials"
  }'

Example Response

{
  "access_token": "YOUR_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 86400
}

• The access_token will be used to authenticate requests to the Management API.
• The token is valid for the duration specified in expires_in (e.g., 24 hours).

Step 4: Call the Management API

Once you have the access_token, you can use it to call any Management API endpoint (https://authaction.readme.io/).

Example Request

Here’s how you can retrieve the list of users:

curl --request GET \
  --url https://<tenant>.<region>.authaction.com/api/v1/users \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Example Response

[
  {
    "id": "671e6abcf34ff7b958a64f81",
    "name": "John Doe",
    "email": "john.doe@example.com"
  },
  ...
]

Step 5: Troubleshooting and Permissions

If you encounter a 401 Unauthorized error:

• Verify permissions: Ensure your M2M application has been authorized for the AuthAction Management API.
• Check the audience: Ensure the audience in your token request matches your AuthAction domain (e.g., https://<tenant>.<region>.authaction.com).

---

Summary

• M2M applications allow backend services to interact with APIs securely, using access tokens obtained via the client credentials flow.
• Properly configure the AuthAction Management API permissions in your M2M application.
• Always validate the audience and other token parameters when calling APIs.

---

Automating Token Retrieval

If you’re working with scripts or automation tools, you can store the Client ID and Client Secret in environment variables. Here’s a quick Node.js snippet for retrieving the token:

const axios = require("axios");

async function getAccessToken() {
  const response = await axios.post("https://<tenant>.<region>.authaction.com/oauth2/m2m/token", {
    client_id: process.env.M2M_CLIENT_ID,
    client_secret: process.env.M2M_CLIENT_SECRET,
    audience: `https://<tenant>.<region>.authaction.com`,
    grant_type: "client_credentials",
  });

  return response.data.access_token;
}