Machine-to-Machine Authentication

Machine-to-machine (M2M) authentication is an authentication pattern where one service authenticates directly with another without any human user present. Unlike interactive OAuth 2.1 flows where a user signs in through a browser, M2M auth uses pre-shared credentials (typically a client ID and client secret) to obtain access tokens programmatically.

When M2M Auth Is Used

M2M authentication applies to server-side scenarios where no human is available to click through a consent screen:

Backend services — A data pipeline that pulls field data on a schedule
Automated analysis — A cron job that runs agronomic intelligence rules nightly
Inter-service communication — FieldMCP's dashboard calling the gateway's internal endpoints
CI/CD systems — Automated tests that need to authenticate against staging environments

How It Works in FieldMCP

FieldMCP uses two M2M authentication patterns:

Internal Service Communication

The dashboard communicates with the gateway using a shared INTERNAL_SECRET. The dashboard includes this secret in requests to internal endpoints like POST /internal/invalidate-cache. This is a simple shared-secret pattern suitable for trusted service-to-service calls within the same infrastructure.

OAuth 2.1 Client Credentials

For external M2M access, FieldMCP supports the OAuth 2.1 client credentials grant. The service sends its client ID and secret to the token endpoint and receives a scoped access token — no redirect flow needed. The returned JWT has the same format and validation rules as interactive tokens.

Security Considerations

M2M credentials require careful handling:

Secret rotation — Client secrets should be rotated regularly. FieldMCP supports multiple active secrets during rotation periods.
Least privilege — M2M tokens should be scoped to only the permissions the service needs.
Secure storage — Store secrets in environment variables or a secrets manager, never in code or version control.

When M2M Auth Is Used

M2M authentication applies to server-side scenarios where no human is available to click through a consent screen:

Backend services — A data pipeline that pulls field data on a schedule
Automated analysis — A cron job that runs agronomic intelligence rules nightly
Inter-service communication — FieldMCP's dashboard calling the gateway's internal endpoints
CI/CD systems — Automated tests that need to authenticate against staging environments

How It Works in FieldMCP

FieldMCP uses two M2M authentication patterns:

Internal Service Communication

OAuth 2.1 Client Credentials

Security Considerations

M2M credentials require careful handling:

Secret rotation — Client secrets should be rotated regularly. FieldMCP supports multiple active secrets during rotation periods.
Least privilege — M2M tokens should be scoped to only the permissions the service needs.
Secure storage — Store secrets in environment variables or a secrets manager, never in code or version control.

Machine-to-Machine Authentication

When M2M Auth Is Used

How It Works in FieldMCP

Internal Service Communication

OAuth 2.1 Client Credentials

Security Considerations

Further Reading

Machine-to-Machine Authentication

When M2M Auth Is Used

How It Works in FieldMCP

Internal Service Communication

OAuth 2.1 Client Credentials

Security Considerations

Further Reading