Machine-to-Machine (M2M) Authentication

Machine-to-Machine authentication enables automated systems to access QLAM without user interaction.

Overview

M2M authentication uses the OAuth2 Client Credentials flow. Instead of authenticating a user, the application authenticates itself using a client ID and client secret.

sequenceDiagram
    participant App as Service/Application
    participant IdP as Identity Provider
    participant QLAM as QLAM API

    App->>IdP: Client ID + Client Secret
    IdP->>App: Access Token
    App->>QLAM: API request + Access Token
    QLAM->>App: Response

Use Cases

• HPC Environments
• CI/CD pipelines
• Automated testing
• Scheduled batch jobs
• Backend services
• Integration systems

Prerequisites

M2M authentication requires:

1. A dedicated M2M application registered with the identity provider
2. A client ID and client secret/private key issued for your application
3. Appropriate permissions granted to the application

Getting M2M Credentials

Contact your QLAM administrator to request M2M credentials for your use case.

Authentication Request

curl --request POST \
  --url "https://{auth_base_url}/oauth/token" \
  --header "content-type: application/x-www-form-urlencoded" \
  --data grant_type=client_credentials \
  --data "client_id={client_id}" \
  --data "client_secret={client_secret}" \
  --data "audience={audience}"

Parameters:

Parameter	Description
grant_type	Always client_credentials
client_id	Your M2M client ID
client_secret	Your M2M client secret (keep secure!)
audience	API identifier

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 86400
}

No Refresh Token

M2M authentication does not return a refresh token. When the access token expires, request a new one using the same client credentials.

Cache Tokens Until Expiration

Your identity provider enforces a monthly limit on the number of M2M token requests. You must cache the access token and reuse it until it expires (see expires_in in the response) rather than requesting a new token for every API call. Failure to cache tokens can quickly exhaust your monthly quota and block your application from authenticating.

Security Best Practices

1. Never commit secrets: Store client secrets in environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault, etc.)

2. Rotate secrets regularly: Periodically rotate client secrets and update your applications

3. Use minimal permissions: Request only the permissions your application needs

4. Secure transmission: Always use HTTPS

5. Audit access: Monitor M2M application activity for anomalies

Next Steps

• API Documentation - Access API reference
• Task Lifecycle - Understand task processing