Skip to main content

Client credentials

The client_credentials grant type consists of a secret and a key, similar to OAuth 1.0. It is appropriate for authentication that does not require specific user credentials, such as authentication between machines for scheduled tasks.

This grant type does not generate a refresh_token (see The OAuth 2.0 Authorization Framework).


ROLE_PARTNER and ROLE_PARTNER_READ are the only scopes allowed for this grant type.

The following diagram illustrates this flow:

OAuth 2.0 Client Credentials flow

  1. The application initiates authorization by sending a POST request to the token endpoint to exchange the client's credentials for an access token and optionally the refresh token. This request must be authenticated (basic authentication) using the client ID and secret.

    Sample request:

    curl -X POST -u appdirect-49:9vY0s4yb2pbnP7Vz -H 'Content-Type: application/x-www-form-urlencoded' "" -d "grant_type=client_credentials&scope=ROLE_PARTNER_READ"
    grant_typeMust be client_credentials, which indicates that this is the Client Credentials grant type.
    scopeA space-separated list of requested scopes.
  2. The access token and, optionally, the refresh token are returned.

    Sample response:

    "access_token": "7iVGxe84f1ew6QENpCD3",
    "refresh_token": "qsdfbasfsa1bjbfdjbfs",
    "token_type": "bearer",
    "expires_in": 43199,
    "scope": "ROLE_PARTNER_READ"
  3. Call an AppDirect API and include the access token in the Authorization header as a bearer token.

    Sample request:

    curl -H 'Authorization: Bearer 7iVGxe84f1ew6QENpCD3' ""
  4. Receive the API response.

Was this page helpful?