Skip to main content

Client Credentials

This section describes how to procure an access token for authorization using the client credentials as a grant type.

Resource Informations

NameValueDescription
Requires authentication?YesClientID is required for this authentication
Rate limited?NoRate limited indicate how many requests a client can make in a time period

Request

Request headers

KeyValueDescription
Content-Typeapplication/x-www-form-urlencodedMethod for sending name-value pairs data to the server, such as the information you typed into a HTML form.

HTTP request

POST https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token
note

API requests must be made over https. Calls made over plain http will fail.

Request body (Required)

Parameter NameTypeDescription
grant_type (Required)StringThe grant type should be client_credentials.
client_id (Required)StringThe Client ID for which the access token is to be generated. NOTE: Make sure the Service Accounts Enabled option is switched to ON for the respective client.
client_secret (Required)StringSecret corresponding to the given clientID. Secret will be available only for the clients with access type(Required) selected confidential during client creation. This is an optional parameter.

Sample Request

curl --location --request POST 'https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=test' \
--data-urlencode 'client_secret=28fe1fdd-1904-48ab-b0f7-15bf9aa1a41a'

Response

Parameter NameTypeDescription
access_tokenStringThe newly created access token.
expires_inIntegerValidity of the access token in seconds.
refresh_expires_inIntegerValidity of the refresh token in seconds.
token_typeStringIndicates access token type.
not-before-policyIntegernot-before policy ensures that any tokens issued before that time become invalid.
scopeStringThe scope requested for the token.

Sample Response

{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": String
}

Response Status Information

Status CodeStatusMessage
200OKOK
400Bad RequestInvalid client credentials
400Bad RequestUnsupported grant_type
401UnauthorizedHTTP 401 Unauthorized
401UnauthorizedClient not enabled to retrieve service account
401UnauthorizedInvalid client secret
404Not FoundRealm does not exist