> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about the Actions Machine to Machine Flow and the credentials-exchange Action trigger, which runs as part of the Machine to Machine Flow.

# Machine to Machine Triggers

The Machine to Machine trigger runs when an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+Token">Access Token</Tooltip> is being issued via the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow).

<Frame>
  <img src="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/0yESejeOU6QiEi-j/docs/images/cdy7uua7fh8z/1JPl54LFWCUh5StuglZS2o/41f89372526574c3b8cdac4d5ba38072/Machine_to_Machine_Flow.png?fit=max&auto=format&n=0yESejeOU6QiEi-j&q=85&s=4316f2eedc1707426f1de42092b18727" alt="Diagram showing the Actions Machine to Machine Flow and when the triggers inside of it run." width="851" height="215" data-path="docs/images/cdy7uua7fh8z/1JPl54LFWCUh5StuglZS2o/41f89372526574c3b8cdac4d5ba38072/Machine_to_Machine_Flow.png" />
</Frame>

Actions in this flow are blocking (synchronous), which means they execute as part of a trigger's process and will prevent the rest of the Auth0 pipeline from running until the Action is complete.

## Triggers

### M2M / Client Credentials

The `credentials-exchange` trigger is a function executed before the access token is returned.

#### References

* [Event object](/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-event-object): Provides contextual information about the request for a client credentials exchange.
* [API object](/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-api-object): Provides methods for changing the behavior of the flow.

## Common use cases

### Access control

A credentials-exchange Action can be used to deny an access token based on custom logic.

```javascript lines theme={null}
/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.request.geoip.continentCode === "NA") {
    api.access.deny('invalid_request', "Access from North America is not allowed.");
  }
};
```

### Add custom claims to the access token

A credentials-exchange Action can be used to add custom claims to an access token.

```javascript lines theme={null}
/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  api.accessToken.setCustomClaim("https://my-api.exampleco.com/request-ip", event.request.ip);  
};
```

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  We strong recommend using namespaced custom claim in the form of a URI. To learn more about namespaced and non-namespaced custom claims, read [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims).
</Callout>