Client Credentials

The Client Credentials grant type is used when there is no resource owner involved in the interaction with the authorization server or resource server. Because the client secret must be kept confidential, this grant type only should be used by clients whose code is kept in a secured location. No browser interaction is required for this grant type.

The flow is as follows:


The steps are:

  • A) The client requests an access token by sending the client credentials to the authorization server.
  • B) The authorization server validates the client credentials and returns an access token.

This example uses command line curl to emulate the interaction outlined above. This example assumes the client has been registered in API Manager, has provided a redirect_uri, and has been issued a client_id and a client_secret. It also assumes the redirect_uri is invalid (the browser will return a 404 error when attempting to redirect to the redirect_uri).

The -k command line option instructs curl to ignore certificates. The -v option specifies verbose mode so we can see the response headers.

Be sure to enclose the URLs in quotation marks. Some characters within the URL are special characters in some operating systems.

A,B) The client requests an access token from the authorization server. The authorization server responds with an access token. Note that this a POST request with the grant_type in the body of the request. The client credentials are passed in a Basic Authentication authorization header. See the example below.

curl -k -d "grant_type=client_credentials" -u "client_id:client_secret" ""

Which returns:


The access_token can now be used to request access to protected resources.

curl -v -k -H "Authorization: Bearer <access_token>" ""