Client Credentials Flow for Machine-to-Machine
Understand the Client Credentials grant type used for server-to-server (M2M) communication where no user interaction is needed.
Detailed Explanation
Client Credentials Grant
The Client Credentials flow is the simplest OAuth 2.0 grant type. It is designed for machine-to-machine (M2M) scenarios where the client itself is the resource owner — there is no end user involved.
How It Works
Token Request: The client sends a POST request to the
/tokenendpoint withgrant_type=client_credentialsand authenticates using itsclient_idandclient_secret(typically via HTTP Basic authentication or in the request body).Access Token: The authorization server validates the credentials and returns an access token. No refresh token is typically issued.
API Access: The client uses the access token to call the resource server's API.
Request Example
POST /token HTTP/1.1
Host: auth.example.com
Authorization: Basic czZCaGRSa3F0MzoZ...
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=read%20write
Response Example
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "read write"
}
Security Considerations
- Only use with confidential clients that can securely store credentials (backend services, cron jobs, etc.)
- Never use this flow in a browser or mobile app
- Rotate client secrets regularly
- Limit scopes to the minimum required
- Since there is no user context, the access token represents the application itself, not a user
Use Case
A backend microservice that needs to call another internal API. For example, a billing service that queries a user database service to look up subscription status. No end user is involved in the request — the service authenticates as itself.