Skip to main content

Client Credentials

The purpose of the Client Credentials flow is to acquire an Access Token, which can be added as Bearer token to REST calls made towards a Resource Server.

This flow must be used by machine-to-machine applications only. The app must be able to store a client secret in a safe place.

Client Credentials flow

  1. Your app sends a request to the Identity Cloud Token endpoint. The client_id and client_secret are used as credentials for Basic Authentication 1:

    POST /auth/oauth2/token HTTP/1.1
    Authorization : Basic YTIwOTEwNTBjZmRkMTVjZTpjMDkxYTE1MWZmY2U5NjM1
    grant_type=client_credentials
    &scope=yourscope1

    If your app requests multiple scopes, they should be separated by an encoded space (%20).

  2. Upon successful validation of client_id, client_secret, and the requested scopes, an access token in JWT format is returned 2:


    {
      "access_token":"ey...",
      "token_type":"Bearer",
      "expires_in":3600
    }

Your app can now use the received access token to call a resource server.

1 calculated as: base64(<client_id>:<client_secret>)

2 line-breaks have been added to make the response more readable.