> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-reorg.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials Exchange

> Learn about Credentials Exchange Actions, which run when an Access Token is issued as part of the Machine to Machine Flow. They can be used to deny the exchange or add custom claims to the access token.

The `credentials-exchange` trigger runs when an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+Token">Access Token</Tooltip> is being issued via the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow), before the access token is returned.

<Frame>
  <img src="https://mintcdn.com/docs-dev-actions-triggers-reorg/JSHJosOFSmrwc-Ig/docs/images/cdy7uua7fh8z/1JPl54LFWCUh5StuglZS2o/41f89372526574c3b8cdac4d5ba38072/Machine_to_Machine_Flow.png?fit=max&auto=format&n=JSHJosOFSmrwc-Ig&q=85&s=5d6afecddf1a126dac640fb24d1be3c9" alt="Diagram showing the Actions Machine to Machine Flow and when the triggers inside of it run." width="851" height="215" data-path="docs/images/cdy7uua7fh8z/1JPl54LFWCUh5StuglZS2o/41f89372526574c3b8cdac4d5ba38072/Machine_to_Machine_Flow.png" />
</Frame>

Actions in this flow are blocking (synchronous): they execute as part of the trigger's process and prevent the rest of the Auth0 pipeline from running until the Action completes.

## References

* [Event object](/docs/customize/actions/reference/credentials-exchange/credentials-exchange-event-object): Provides contextual information about the request for a client credentials exchange.
* [API object](/docs/customize/actions/reference/credentials-exchange/credentials-exchange-api-object): Provides methods for changing the behavior of the flow.

## Common use cases

### Access control

A credentials-exchange Action can be used to deny an access token based on custom logic:

```javascript lines theme={null}
/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.request.geoip.continentCode === "NA") {
    api.access.deny('invalid_request', "Access from North America is not allowed.");
  }
};
```

### Add custom claims to the access token

A credentials-exchange Action can be used to add custom claims to an access token:

```javascript lines theme={null}
/**
 * @param {Event} event - Details about client credentials grant request.
 * @param {CredentialsExchangeAPI} api - Interface whose methods can be used to change the behavior of client credentials grant.
 */
exports.onExecuteCredentialsExchange = async (event, api) => {
  api.accessToken.setCustomClaim("https://my-api.exampleco.com/request-ip", event.request.ip);
};
```

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  We strongly recommend using a namespaced custom claim in the form of a URI. To learn more about namespaced and non-namespaced custom claims, read [Create Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims).
</Callout>
