Client Credentials Flow


The client credentials flow is used when the client application needs to access a resource that isn’t user specific. It does this by supplying both the client ID and client secret in the request. This is useful when a trusted application needs to perform an administrative task that isn’t specific to a user, and wants to bypass the usual authorization flow.

Protocol


Because this flow requires the use of the client secret, it should only be used in in secure settings. Also, because the user ID is not supplied in this request, user-specific resources are not accessible via this method.

Here’s some example Javascript that shows how to initiate the flow.

request.post({
    url: '1.2.3.4:8080/token',
    qs:  { 'client_id' : CLIENT_ID,
           'client_secret' : CLIENT_SECRET,
           'grant_type': 'client_credentials'}});

If successful, the response will be a JSON object:

{
   "access_token": "axb2y-...",
   "expires_in":3600,
   "token_type":"Bearer"
}

In the case of an error, you will receive a JSON object with a status code 400 (or above) with the following structure:

{
   "error": "incorrect_client_credentials",
   "error_description": "Could not validate client ID/secret"
}