Selected Authentication Method: Client Secret (POST) Client Secret (POST) — Selected This method means: • The application authenticates to Auth0 using: o client_id o client_secret • These credentials are sent in the HTTP POST body when calling Auth0 token endpoints (e.g., /oauth/token). This is a standard OAuth 2.0 confidential client pattern. ________________________________________ Purpose of This Configuration Primary Purpose To allow Auth0 to verify the identity of the calling application before issuing tokens. Auth0 uses this to: • Prevent unauthorized applications from obtaining access tokens • Enforce trust boundaries between clients • Secure machine-to-machine and backend integrations ________________________________________ Typical Flow (Machine-to-Machine or Backend App) 1. Application sends a token request to Auth0: 2. POST /oauth/token 3. Request body includes: o client_id o client_secret o grant_type o audience / scope 4. Auth0 validates the client credentials 5. Auth0 issues a JWT access token (and optionally an ID token) That JWT is then: • Passed to an API Gateway (e.g., Kong) • Validated using iss, aud, exp, and signature