Client Credentials exchange

Adoption Guide

This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.

The Client Credentials exchange allows apps to authenticate as themselves (that is, not on behalf of any user) to programmatically and securely obtain access to an API.

This exchange does not exist in the legacy pipeline, but the Resource Owner Password Credentials exchange can be used to simulate it by creating a "service user".

We strongly discourage the latter approach in favor of using Client Credentials, since it allows defining fine-grained permissions for each API app.

For more information on how to execute a Client Credentials exchange, refer to Call API Using the Client Credentials Flow.

Further reading