Set up a Client Credentials Grant using the Management API

Auth0 lets you authorize applications that have the 'Client Credential' grant type enabled to call APIs using the OAuth Client Credentials Grant.

By default, all Machine to Machine Applications and Regular Web Applications have it the 'Client Credentials' grant enabled, but they are not authorized to call any API.

If you want to call an API from these applications, you first need to authorize the application to call the API and specify the scopes that will be granted. You can do that using the Dashboard, or follow the steps below to use the API.

You will need the following:

  • A Management API access token with the create:client_grants scopes. For details on how to get one refer to How to Get an Access Token for the Management API.

  • The application information (Client_Id and Client_Secret) for the application you want to authorize Auth0 dashboard.

  • The API identifier for the API you want to invoke (https://manage.auth0.com/#/apis).

Authorize the Application

To authorize your Application send a POST request to the /client-grants endpoint of the Management APIv2 with the Management API Access Token.

The following example authorizes the application with Id YOUR_CLIENT_ID, to access the API with Identifier https://my-api-urn, while granting the scope sample-scope.


curl --request POST \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/client-grants' \
  --header 'authorization: Bearer Auth0_MGMT_API_ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{"client_id": "YOUR_CLIENT_ID","audience": "https://my-api-urn","scope":["sample-scope"]}'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/client-grants");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "Bearer Auth0_MGMT_API_ACCESS_TOKEN");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\": \"YOUR_CLIENT_ID\",\"audience\": \"https://my-api-urn\",\"scope\":[\"sample-scope\"]}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/client-grants"

	payload := strings.NewReader("{\"client_id\": \"YOUR_CLIENT_ID\",\"audience\": \"https://my-api-urn\",\"scope\":[\"sample-scope\"]}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/json")
	req.Header.Add("authorization", "Bearer Auth0_MGMT_API_ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://YOUR_AUTH0_DOMAIN/api/v2/client-grants")
  .header("content-type", "application/json")
  .header("authorization", "Bearer Auth0_MGMT_API_ACCESS_TOKEN")
  .body("{\"client_id\": \"YOUR_CLIENT_ID\",\"audience\": \"https://my-api-urn\",\"scope\":[\"sample-scope\"]}")
  .asString();
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/client-grants",
  "method": "POST",
  "headers": {
    "content-type": "application/json",
    "authorization": "Bearer Auth0_MGMT_API_ACCESS_TOKEN"
  },
  "processData": false,
  "data": "{\"client_id\": \"YOUR_CLIENT_ID\",\"audience\": \"https://my-api-urn\",\"scope\":[\"sample-scope\"]}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});
var request = require("request");

var options = { method: 'POST',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/client-grants',
  headers: 
   { authorization: 'Bearer Auth0_MGMT_API_ACCESS_TOKEN',
     'content-type': 'application/json' },
  body: 
   { client_id: 'YOUR_CLIENT_ID',
     audience: 'https://my-api-urn',
     scope: [ 'sample-scope' ] },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});
#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json",
                           @"authorization": @"Bearer Auth0_MGMT_API_ACCESS_TOKEN" };
NSDictionary *parameters = @{ @"client_id": @"YOUR_CLIENT_ID",
                              @"audience": @"https://my-api-urn",
                              @"scope": @[ @"sample-scope" ] };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/client-grants"]
                                                       cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                   timeoutInterval:10.0];
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
                                                }
                                            }];
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/client-grants",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"client_id\": \"YOUR_CLIENT_ID\",\"audience\": \"https://my-api-urn\",\"scope\":[\"sample-scope\"]}",
  CURLOPT_HTTPHEADER => array(
    "authorization: Bearer Auth0_MGMT_API_ACCESS_TOKEN",
    "content-type: application/json"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"client_id\": \"YOUR_CLIENT_ID\",\"audience\": \"https://my-api-urn\",\"scope\":[\"sample-scope\"]}"

headers = {
    'content-type': "application/json",
    'authorization': "Bearer Auth0_MGMT_API_ACCESS_TOKEN"
    }

conn.request("POST", "/YOUR_AUTH0_DOMAIN/api/v2/client-grants", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))
require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/client-grants")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/json'
request["authorization"] = 'Bearer Auth0_MGMT_API_ACCESS_TOKEN'
request.body = "{\"client_id\": \"YOUR_CLIENT_ID\",\"audience\": \"https://my-api-urn\",\"scope\":[\"sample-scope\"]}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = [
  "content-type": "application/json",
  "authorization": "Bearer Auth0_MGMT_API_ACCESS_TOKEN"
]
let parameters = [
  "client_id": "YOUR_CLIENT_ID",
  "audience": "https://my-api-urn",
  "scope": ["sample-scope"]
]

let postData = NSJSONSerialization.dataWithJSONObject(parameters, options: nil, error: nil)

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/client-grants")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "POST"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    println(error)
  } else {
    let httpResponse = response as? NSHTTPURLResponse
    println(httpResponse)
  }
})

dataTask.resume()

Sample response:

{
    "id": "cgr_JGa6ZckLjnt60rWe",
    "client_id": "YOUR_CLIENT_ID",
    "audience": "https://test-api",
    "scope": [
        "sample-scope"
    ]
}

That's it, you are done! Now that all the elements are in place, you can request Access Tokens for your API from Auth0 using the Client Credentials Grant.

Keep reading