DashboardDocs
Log in
Guest mode

Machine-to-machine auth (M2M)

Machine-to-machine

Machine-to-machine auth

Userfront has a flexible approach that allows machine-to-machine authentication and authorization via:

  • JSON Web Tokens (JWTs)
  • API keys

The best option for your specific use case will depend on several factors, including your security requirements, API architecture, and levels of authorization.

If your API only needs to grant basic read access to non-sensitive information and doesn’t require granular permissions and access control, API keys can be easier to implement than JWTs.

However, if your API serves multiple clients, such as an external-facing API or in a microservices architecture, JWTs are a more secure and scalable alternative to API keys. JWTs are signed, self-contained tokens that can provide granular levels of permissions for each tenant without the need for multiple API calls.

You can scope M2M auth to your entire application or to tenants, sub-tenants, users, or specific machines within your application.

Machine-to-Machine Auth with JWT access tokens

Userfront allows M2M auth using JWTs as described by the diagram below:

Machine-to-machine auth with JWT

1. Token Generation

Your application or device makes an authentication request to Userfront using any of the authentication methods you choose.

Userfront receives the request, generates a JWT access token with your desired payload and expiration, and returns the JWT access token to the requesting device.

In addition to standard claims, the JWT access token can also contain custom claims in its payload.

The JWT access token can also be scoped to any parent or nested tenant within your application, ensuring that access is granted at the appropriate level(s) for the requesting device.

2. Token Distribution

Userfront returns the JWT access token to the requesting device. The device then uses this token for subsequent authenticated requests to other devices in your system.

3. Token Usage

When a device wants to communicate with another device or a server in your system, it includes the JWT in the HTTP header. The receiving device verifies the JWT access token by checking the token's signature using a public key to ensure it was generated securely.

The receiving device then validates the JWT claims (e.g., ensuring the token is not expired and is intended for the correct audience) as well as any authorization levels contained within the JWT payload.



json
// An example JWT access token for m2m
{
  "tenantId": "abcd1234",
  "mode": "live",
  "machineId": "3140f9a6-a53b-4bae-8339-f5a475e876ad",
  "authorization": {
    "abcd1234": {
      "roles": ["client-device"]
    }
  }
}

Machine-to-Machine Auth with API keys

Userfront allows M2M auth using API keys as described by the diagram below:

Machine-to-machine auth with API key

1. API Key Retrieval

Your application or device makes an authentication request to Userfront using any of the authentication methods you choose. Userfront receives the request and returns an API key to the requesting device.

The API key can be scoped to any parent or nested tenant within your application, ensuring that access is granted at the appropriate level(s) for the requesting device.

2. API Key Distribution

Userfront returns the API key to the requesting device. The device then uses this API key for subsequent authenticated requests to other devices in your system.

3. API Key Usage

When a device wants to communicate with another device or a server in your system, it includes the API key in the HTTP header. The receiving device can either already contain the API key and check for a match, or it can send the API key to Userfront for verification.

4. API Key Verification Request (optional)

If the receiving device does not have the API key stored, it can make a request to Userfront’s verify API key endpoint with the API key in the HTTP header.

5. API Key Verification Response (optional)

Userfront returns a response indicating whether the API key is valid, and if so, for which tenant.



js
// An example admin API key for m2m
uf_live_admin_abcd1234_88ec72199fbce7a60f53eeecbb4e08dd


// An example read-only API key for m2m
uf_live_readonly_abcd1234_c9cce7a60f53ef7ecbb3e08d38ec3819

Machine-to-machine authorization in your application

Machine-to-machine authentication via JWT access tokens or API keys allow multiple machines in your network to establish trust and communicate securely.

Userfront further allows fine-grained machine-to-machine authorization by combining its flexible, nestable access control layer with automated machine interactions. This allows each machine to request only the level of access that it needs.

Userfront’s tenant model unlocks fine-grained M2M auth that molds to any use case. JWT access tokens and API keys can be scoped globally or to any level of tenant or sub-tenant. This means that access can be scoped to any of the following:

  • Application-wide
  • Organization (tenant) within the application
  • Sub-organizations (child tenants) nested within an organization
  • An individual user or machine

Auditing and Compliance

Userfront can record every instance of access requested for machine-to-machine interactions as well as invalid, expired, and out-of-scope attempts to validate a machine and can provide security and compliance reporting for audits and security reviews.

Contact us for more information on M2M auditing and compliance.

Migrating Machine-to-Machine Auth

If needed, Userfront can migrate most machine-to-machine auth systems in a backwards-compatible manner.

The specifics for migration will depend on your system, but most JWT-based approaches and many API key- based approaches can be migrated seamlessly.

Contact us to discuss migrating your machine-to-machine auth.