Client Credentials exchange
This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.
The Client Credentials exchange allows clients to authenticate as themselves (i.e. not on behalf of any user) to programmatically and securely obtain access to an API.
This exchange does not exist in the legacy pipeline, but the Resource Owner Password Credentials exchange can be used to simulate it by creating a "service user".
We strongly discourage the latter approach in favor of using Client Credentials, since it allows defining fine-grained permissions for each API client.
- Calling your APIs with Auth0 tokens
- User consent and third-party clients
- Custom user profile claims and
- Single sign-on (SSO)
- Initiating authentication flows:
- Refresh tokens
- Delegation (deprecated)
- Passwordless authentication (unsupported)
- List of breaking changes for OIDC-conformant clients