Skip to main content

Client Credentials Flow

Use Client Credentials Flow to enable secure, machine-to-machine communication between services and applications without requiring a user.

What is Client Credentials Flow?

Client Credentials Flow allows applications or services to authenticate themselves with an authorization server to get an access token. It’s used in scenarios without a user, such as batch processing or system integration in machine-to-machine environments.

Only confidential clients that can securely store credentials can use this flow.

How Client Credential Flow works

The client application uses client authentication as its authorization grant, and no additional authorization is needed.

Client_Credentials_Flow.svg

  1. Client Authentication. Application authenticates itself to the authorization server using its credentials.

  2. Token Request. Client sends a POST request to the token endpoint to get an access token.

    Sample call to the token endpoint:

    curl -X POST https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/token \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-raw "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
    Region ID notes

    REGION_ID is available for recently created tenants in the tenant URL next to TENANT_ID. The region IDs are assigned as follows:

    If the tenant URL doesn't include a region identifier, omit the REGION_ID parameter.

    • Australia: au

    • Europe: eu

    • USA: us

  3. Authorization Server Validation. Server checks the credentials and responds with an access token.

  4. Resource Access. Client uses the token to request resources from the resource server.

  5. Resource Validation. Resource server validates the token and grants access.

Best practice

In this section: