Calling APIs from Highly Trusted Clients

Limited Region Support

This feature is only available for tenants under the US region. We will rollout this feature to every region in the following weeks.

Highly trusted mobile apps and Client-side web apps can use the Resource Owner Password Grant to access an API. In this flow the end-user is asked to fill in credentials (username/password) typically using an interactive form. This information is later on sent to the Client and the Authorization Server. It is therefore imperative that the Client is absolutely trusted with this information.


The Resource Owner Password Grant (defined in RFC 6749, section 4.3) can be used directly as an authorization grant to obtain an access token an optionally a refresh token. This grant should only be used when there is a high degree of trust between the user and the client and when other authorization flows are not available.

This grant type can eliminate the need for the client to store the user credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

Resource Owner Password Grant

  1. The Resource Owner enters the credentials into the client application
  2. The client forwards the Resource Owner's credentials to the Authorization Server
  3. The Authorization server validates the information and returns an access_token and optionally a refresh_token
  4. The Client can use the access_token to call the Resource Server on behalf of the Resource Owner

Use Case

  • Allow the Client to make calls to the Resource Server on behalf of the Resource Owner
  • The Client is a highly trusted application and other authorization flows are not available