Call API Using the Client Credentials Flow
Auth0 makes it easy for your app to implement the Client Credentials Flow. Following successful authentication, the calling application will have access to an Access Token, which can be used to call your protected APIs.
Before beginning this tutorial:
- Select an Application Type of Machine to Machine Applications.
- Choose your previously-registered API.
- Authorize the M2M Application to call your API.
- Request a token: From the authorized application, request an Access Token for your API.
- Call your API: Use the retrieved Access Token to call your API.
Optional: Explore Sample Use Cases
To access your API, you must request an Access Token for it. To do so, you will need to
POST to the token URL.
Example POST to token URL
||Set this to "client_credentials".|
||Your application's Client ID. You can find this value on the application's settings tab.|
||Your application's Client Secret. You can find this value on the application's settings tab.|
||The audience for the token, which is your API. You can find this in the Identifier field on your API's settings tab.|
If all goes well, you'll receive an HTTP 200 response with a payload containing
Call your API
To call your API from the M2M application, the application must pass the retrieved Access Token as a Bearer token in the Authorization header of your HTTP request.
Sample Use Cases
You can use Hooks to change the returned scopes of Access Tokens and/or add claims to them. Auth0 invokes Hooks attached to the client credentials grant at runtime to execute your custom logic.
For more information, see our tutorial on Using Hooks with the Client Credentials Grant.
View Sample Application: Server Client + API
Once your API receives a request with an Access Token, it will need to validate the token. For details, see Validate Access Tokens.