Client Credentials exchange

Adoption Guide

This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.

The Client Credentials exchange allows clients to authenticate as themselves (i.e. not on behalf of any user) to programmatically and securely obtain access to an API.

This exchange does not exist in the legacy pipeline, but the Resource Owner Password Credentials exchange can be used to simulate it by creating a "service user".

We strongly discourage the latter approach in favor of using Client Credentials, since it allows defining fine-grained permissions for each API client.

For more information on how to execute a Client Credentials exchange refer to Call APIs from Client-side Web Apps.

Further reading