> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# M2M overview

> Authenticate machine-to-machine clients using the Stytch API

Machine-to-Machine (M2M) authentication allows services, scripts, and applications to authenticate directly with your API without user interaction. M2M clients use the OAuth 2.0 client credentials flow to obtain access tokens.

## M2M authentication flow

<Steps>
  <Step title="Create an M2M client">
    Create an M2M client to get credentials for authentication using the [Create M2M Client](/api-reference/b2b/api/m2m/m2m-client/create-m2m-client) endpoint:

    ```bash theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/m2m/clients \
      --header 'Content-Type: application/json' \
      --user 'PROJECT_ID:SECRET' \
      --data '{
        "client_name": "Production API Service",
        "client_description": "Backend service for processing orders",
        "scopes": ["read:orders", "write:orders"]
      }'
    ```

    **Response:**

    ```json theme={null}
    {
      "status_code": 201,
      "m2m_client": {
        "client_id": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
        "client_secret": "secret-test-...",
        "client_name": "Production API Service",
        "client_description": "Backend service for processing orders",
        "status": "active",
        "scopes": ["read:orders", "write:orders"]
      }
    }
    ```

    Store the `client_id` and `client_secret` securely - the secret is only returned once at creation.
  </Step>

  <Step title="Get an access token">
    Use the client credentials to obtain an access token using the [Get Access Token](/api-reference/b2b/api/m2m/token/get-access-token) endpoint:

    ```bash theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/m2m/token \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --user 'm2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885:secret-test-...' \
      --data 'grant_type=client_credentials'
    ```

    **Response:**

    ```json theme={null}
    {
      "status_code": 200,
      "access_token": "eyJhbGc...",
      "token_type": "Bearer",
      "expires_in": 3600
    }
    ```

    Access tokens are JWTs signed with your project's JWKS and are valid for one hour.
  </Step>

  <Step title="Use the access token">
    Include the access token in API requests:

    ```bash theme={null}
    curl --request GET \
      --url https://api.yourapp.com/orders \
      --header 'Authorization: Bearer eyJhbGc...'
    ```

    Validate tokens using the [Authenticate Access Token](/api-reference/b2b/api/m2m/token/authenticate-access-token) method in the Stytch Backend SDKs or any JWT validation library.
  </Step>
</Steps>

## Managing M2M clients

<Tabs>
  <Tab title="Update Client" icon="pencil">
    Update client settings like name, description, or scopes using the [Update M2M Client](/api-reference/b2b/api/m2m/m2m-client/update-m2m-client) endpoint:

    ```bash theme={null}
    curl --request PUT \
      --url https://test.stytch.com/v1/m2m/clients/m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885 \
      --header 'Content-Type: application/json' \
      --user 'PROJECT_ID:SECRET' \
      --data '{
        "client_name": "Updated Service Name",
        "scopes": ["read:orders", "write:orders", "read:customers"]
      }'
    ```

    Updating scopes affects future access tokens but doesn't invalidate existing ones.
  </Tab>

  <Tab title="Search Clients" icon="search">
    Search for M2M clients by name or other criteria using the [Search M2M Clients](/api-reference/b2b/api/m2m/m2m-client/search-m2m-clients) endpoint:

    ```bash theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/m2m/clients/search \
      --header 'Content-Type: application/json' \
      --user 'PROJECT_ID:SECRET' \
      --data '{
        "query": {
          "operator": "AND",
          "operands": [
            {
              "filter_name": "status",
              "filter_value": ["active"]
            }
          ]
        }
      }'
    ```

    Returns all M2M clients matching the search criteria.
  </Tab>

  <Tab title="Delete Client" icon="trash">
    Delete an M2M client using the [Delete M2M Client](/api-reference/b2b/api/m2m/m2m-client/delete-m2m-client) endpoint:

    ```bash theme={null}
    curl --request DELETE \
      --url https://test.stytch.com/v1/m2m/clients/m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885 \
      --user 'PROJECT_ID:SECRET'
    ```

    Deleting a client immediately invalidates its credentials. Existing access tokens remain valid until expiration.
  </Tab>
</Tabs>

## Access token claims

M2M access tokens are JWTs containing standard claims:

```json theme={null}
{
  "sub": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
  "iss": "stytch.com/project-test-...",
  "aud": ["project-test-..."],
  "exp": 1234567890,
  "iat": 1234564290,
  "scope": "read:orders write:orders"
}
```

**Key claims:**

* `sub`: The M2M client ID
* `scope`: Space-separated list of granted scopes
* `exp`: Token expiration (1 hour from issuance)

You can add custom claims using claim templates configured in your project settings.

## Learn more

<CardGroup cols={2}>
  <Card title="M2M Client object" icon="bot" href="/api-reference/b2b/api/m2m/m2m-client-object">
    M2M Client object reference
  </Card>

  <Card title="Get JWKS" icon="key" href="/api-reference/b2b/api/sessions/get-jwks">
    Retrieve public keys for token validation
  </Card>
</CardGroup>