Client Credentials
This section describes how to procure an access token for authorization using the client credentials as a grant type.
Resource Informations
| Name | Value | Description |
|---|---|---|
| Requires authentication? | Yes | ClientID is required for this authentication |
| Rate limited? | No | Rate limited indicate how many requests a client can make in a time period |
Request
Request headers
| Key | Value | Description |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | Method for sending name-value pairs data to the server, such as the information you typed into a HTML form. |
HTTP request
POST https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token
note
API requests must be made over https. Calls made over plain http will fail.
Request body (*Required)
| Parameter Name | Type | Description |
|---|---|---|
| grant_type* | String | The grant type should be client_credentials. |
| client_id* | String | The Client ID for which the access token is to be generated. NOTE: Make sure the Service Accounts Enabled option is switched to ON for the respective client. |
| client_secret* | String | Secret corresponding to the given clientID. Secret will be available only for the clients with access type selected confidential during client creation. This is an optional parameter. |
Sample Request
curl --location --request POST 'https://{tenantId}.{hostname}/auth/realms/{tenantId}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=test' \
--data-urlencode 'client_secret=28fe1fdd-1904-48ab-b0f7-15bf9aa1a41a'
Response
| Parameter Name | Type | Description |
|---|---|---|
| access_token | String | The newly created access token. |
| expires_in | Integer | Validity of the access token in seconds. |
| refresh_expires_in | Integer | Validity of the refresh token in seconds. |
| token_type | String | Indicates access token type. |
| not-before-policy | Integer | not-before policy ensures that any tokens issued before that time become invalid. |
| scope | String | The scope requested for the token. |
Sample Response
{
"access_token": String,
"expires_in": Integer,
"refresh_expires_in": Integer,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": String
}
Response Status Information
| Status Code | Status | Message |
|---|---|---|
| 200 | OK | OK |
| 400 | Bad Request | Invalid client credentials |
| 400 | Bad Request | Unsupported grant_type |
| 401 | Unauthorized | HTTP 401 Unauthorized |
| 401 | Unauthorized | Client not enabled to retrieve service account |
| 401 | Unauthorized | Invalid client secret |
| 404 | Not Found | Realm does not exist |