Docs

Bulk User Import Database Schema and Example

Call API Using the Client Credentials Flow

This tutorial will help you call your API from a machine-to-machine (M2M) application using the Client Credentials Flow. If you want to learn how the flow works and why you should use it, see Client Credentials Flow.

Auth0 makes it easy for your app to implement the Client Credentials Flow. Following successful authentication, the calling application will have access to an Access Token, which can be used to call your protected APIs.

User app_metadata schema

Prerequisites

Before beginning this tutorial:

File example

Steps

  1. Request a token: From the authorized application, request an Access Token for your API.
  2. Call your API: Use the retrieved Access Token to call your API.

Optional: Explore Sample Use Cases

Keep reading

Request Token

To access your API, you must request an Access Token for it. To do so, you will need to POST to the token URL.

Example POST to token URL




Parameters

Parameter Name Description
grant_type Set this to "client_credentials".
client_id Your application's Client ID. You can find this value on the application's settings tab.
client_secret Your application's Client Secret. You can find this value on the application's settings tab.
audience The audience for the token, which is your API. You can find this in the Identifier field on your API's settings tab.

Response

If all goes well, you'll receive an HTTP 200 response with a payload containing access_token, token_type, and expires_in values:

You should validate your token before saving it. To learn how, see Validate an Access Token.

Call your API

To call your API from the M2M application, the application must pass the retrieved Access Token as a Bearer token in the Authorization header of your HTTP request.




Sample Use Cases

Customize Tokens

You can use Hooks to change the returned scopes of Access Tokens and/or add claims to them. Auth0 invokes Hooks attached to the client credentials grant at runtime to execute your custom logic.

For more information, see our tutorial on Using Hooks with the Client Credentials Grant.

View Sample Application: Server Client + API

For a sample implementation, see the Server Client + API architecture scenario. This series of tutorials is accompanied by a code sample that you can access in GitHub.

Once your API receives a request with an Access Token, it will need to validate the token. For details, see Validate an Access Token.

Keep reading