Machine-to-Machine Authentication: A Field Guide to the Standards
Human authentication has a person in the loop: a password, a passkey, a push notification, an MFA prompt. Machine-to-machine (M2M) authentication does not. A batch job at 03:00, a payments service calling a ledger, a Kubernetes pod pulling a config — none of them can answer a challenge, and none of them should hold a password a human typed. The whole field is one question asked over and over: how does a workload prove which workload it is to another party, without a long-lived secret that can leak? This post is a map of the answers — the standards, what each one actually protects against, and how the identity providers and cloud hyperscalers implement them. Simple terms, diagrams, and code. ...