Call API Using the Client Credentials Flow

This tutorial will help you call your API from a machine-to-machine (M2M) application using the Client Credentials Flow. If you want to learn how the flow works and why you should use it, see Client Credentials Flow.

Auth0 makes it easy for your app to implement the Client Credentials Flow. Following successful authentication, the calling application will have access to an Access Token, which can be used to call your protected APIs.


Before beginning this tutorial:


  1. Request a token: From the authorized application, request an Access Token for your API.
  2. Call your API: Use the retrieved Access Token to call your API.

Optional: Explore Sample Use Cases

Request Token

To access your API, you must request an Access Token for it. To do so, you will need to POST to the token URL.

Example POST to token URL


Parameter Name Description
grant_type Set this to "client_credentials".
client_id Your application's Client ID. You can find this value on the application's settings tab.
client_secret Your application's Client Secret. You can find this value on the application's settings tab.
audience The audience for the token, which is your API. You can find this in the Identifier field on your API's settings tab.


If all goes well, you'll receive an HTTP 200 response with a payload containing access_token, token_type, and expires_in values:

You should validate your token before saving it. To learn how, see Verify Access Tokens.

Call your API

To call your API from the M2M application, the application must pass the retrieved Access Token as a Bearer token in the Authorization header of your HTTP request.

Sample Use Cases

Customize Tokens

You can use Hooks to change the returned scopes of Access Tokens and/or add claims to them. Auth0 invokes Hooks attached to the client credentials grant at runtime to execute your custom logic.

For more information, see our tutorial on Using Hooks with the Client Credentials Grant.

View Sample Application: Server Client + API

For a sample implementation, see the Server Client + API architecture scenario. This series of tutorials is accompanied by a code sample that you can access in GitHub.

Once your API receives a request with an Access Token, it will need to validate the token. For details, see Validate Access Tokens.

Keep reading