There are 2 api audiences, our own API & the Auth0 Management API. Make sure the authorized audiences match.
Machine to machine doesn’t have the concept of user roles.
We use normal web application instead of SPA because Next.js SSR.
By default, new applications don’t get “password” or “http://auth0.com/oauth/grant-type/password-realm” grant. These must be added programatically.
https://auth0.com/docs/configure/applications/application-grant-types
https://community.auth0.com/t/error-grant-type-password-not-allowed-for-the-client-for-resource-owner-password-flow/6951/7
We require the password grant because we want the post login action to simulate an admin user. Using a M2M auth client does not assign the roles claim because it isn’t a user.