Rate this page

Client Credentials Grant Type

This is a special grant type made directly to the token endpoint, used to request an access token for either:

  1. Resources owned by the client rather than any specific end user, or
  2. Resources belonging to multiple end users. For example, an application token is often needed to perform a SCIM search.

The access token received as the result of such a request is called an application token.

Token request

POST /oauth/token

The client uses HTTP basic authentication with its client ID and client secret to authenticate itself to the token endpoint and must specify a Content-Type of application/x-www-form-urlencoded. The following parameters are provided in the body of the request using form-urlencoding.

Parameter Required? Description
grant_type yes Value must be client_credentials.
scope no A space-delimited set of scope names. If omitted, the client’s default scopes are used.

Scopes requested using this grant type must be of type Generic or Resource. Scopes must not be configured to require consent; doing so will cause the request to fail.

Example request:

POST /oauth/token HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Authorization: Basic dGVzdDE6cGFzc3dvcmRwYXNzd29yZHBhc3N3b3JkcGFzc3dvcmQ=
Connection: keep-alive
Content-Length: 74
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: example.com:443


Token response

If the token request succeeds, the server will respond with a 200 response code.

Field Type Provided? Description
access_token string always The access token.
token_type string always The access token type. The value is always Bearer.
expires_in number always A value in seconds indicating the lifetime of the access token.
scope string always A space-delimited set of the scopes actually granted. This may be a subset of the requested scopes.

Example response:

HTTP/1.1 200 OK
Content-Length: 270
Content-Type: application/json
Date: Mon, 18 Apr 2016 23:05:09 GMT
Pragma: no-cache
Cache-Control: no-store

    "access_token": "eyJraWQiOiJBY2Nlc3MgVG9rZW4gU2lnbmluZyBLZXkgUGFpciIsImFsZyI6IlJTNTEyIn0.eyJzY29wZSI6ImFjY291bnQgcGFzc3dvcmQgcHFyIiwiZXhwIjoxNDc1MzM4MzE1LCJpYXQiOjE0NzQ5MDYzMTUsImNsaWVudF9pZCI6InRlc3QxIiwianRpIjoiYS4zQm1RUWcifQ.LEGEbyLh-eg85YVfBleMIZveI3J9eTtKtc6w8ocmOM28M2ruGuUxJHELgGmeZK85RXZwLhHTstocPxSObzWXmSovkNneuIwRI3ahVSaLMdymzyHlVZGWWWE35fqyqeh3YB_z3TEp1DVwo8kjMzhUCJevr_CtPNlgECdUZuJmOXD9ceNyGqnO2IBtfBQdipgi1xA_Usxh7S6127d9xiKz9jK1u2JtBuEOfnScunUcqwvWvtRsC3z3nk6mN5yWdigjVqwDjL0Ei0_XPcf3mwVuYWmrVjYlagD_8rv1WS4da8uz8H5vGDAftgSozL2slpdy_S80XrGpm-q9pylXL--5WQ",
    "expires_in": 43200,
    "scope": "account password pqr",
    "token_type": "Bearer"