User Credentials Flow

The user credentials flow (aka, password flow) is used when the client application already has a copy of a user’s login and password, and needs to periodically obtain an access token. This is useful when a trusted application (e.g., an official mobile client) needs to perform an administrative task with a known trusted user.


Because this flow requires a user’s login and password, it should only be used in special circumstances and in secure settings. While it’s usually possible to reset the user’s password in the case of a security breach, this is cumbersome for both the user and client application.

Here’s some example Javascript that shows how to initiate the flow.{
    url: '',
    qs:  { 'username': user_name,
           'password' : user_password,
           'client_id' : CLIENT_ID,
           'grant_type': 'password'}});

If successful, the response will be a JSON object:

   "access_token": "axb2y-...",

In the case of an error, you will receive a JSON object with a status code 400 (or above) with the following structure:

   "error": "invalid_refresh_token",
   "error_description": "Invalid refresh token"