Client Credentials Grant

The Client Credentials Grant (defined in RFC 6749, section 4.4) allows an application to request an Access Token using its Client Id and Client Secret. It is used for non interactive applications (a CLI, a daemon, or a Service running on your backend) where the token is issued to the application itself, instead of an end user.

In order to be able to perform the Client Credentials Grant, the Application needs to have the Client Credentials grant type enabled. Machine to Machine Applications and Regular Web Applications have it enabled by default.

Client Credentials Grant Flow

Client Credentials Grant Flow

  1. The application authenticates with Auth0 using its Client Id and Client Secret.

  2. Auth0 validates this information and returns an Access Token.

  3. The application can use the Access Token to call the API on behalf of itself.

In OAuth 2.0 terms, the application is the Client, the end user the Resource Owner, the API the Resource Server, the browser the User Agent, and Auth0 the Authorization Server.

How to implement the flow

For details on how to implement this using Auth0, refer to Execute a Client Credentials Grant.

Keep reading