Call Your API Using the Client Credentials Flow

This tutorial will help you call your API from a machine-to-machine (M2M) application using the Client Credentials Flow. To learn how the flow works and why you should use it, refer to the Client Credentials Flow Guide.

Login 3.0 simplifies implementing the Client Credentials Flow. Following successful authentication, the application will receive an access token, which can be used to call your protected APIs. For more information about access tokens, refer to the Access Tokens Documentation.

Prerequisites

Before beginning this tutorial:

  1. Register your API with Login 3.0

  2. Add appropriate API permissions

  3. Configure the M2M Application with Login 3.0

    • Ensure the Application Type is set as Machine-to-Machine Applications.

    • Specify your registered API.

  4. Authorize the M2M Application to call your API.

Steps

1. Request Tokens

To access your API, request an access token by sending a POST request to the token endpoint.

Example POST to Token Endpoint

curl --request POST \\
  --url 'https://{yourDomain}/oauth/token' \\
  --header 'content-type: application/x-www-form-urlencoded' \\
  --data grant_type=client_credentials \\
  --data client_id=YOUR_CLIENT_ID \\
  --data client_secret=YOUR_CLIENT_SECRET \\
  --data audience=YOUR_API_IDENTIFIER

Parameters

Parameter Name
Description

grant_type

Set this to client_credentials.

client_id

Your application's Client ID. You can find this value in your application's configuration.

client_secret

Your application's Client Secret. To learn more, refer to Application Credentials.

audience

The audience for the token, which corresponds to your API. You can find this in your API's configuration.

organization

(Optional) The organization name or identifier to associate with the request.

Response

If successful, you'll receive an HTTP 200 response with the following payload:

{
  "access_token": "eyJz93a...k4laUWw",
  "token_type": "Bearer",
  "expires_in": 86400
}

Validate tokens before using them. Refer to Validate ID Tokens and Validate Access Tokens.

2. Call API

To call your API, include the retrieved access token as a Bearer token in the Authorization header of your HTTP request.

Example API Call

curl --request GET \\
  --url <https://myapi.com/api> \\
  --header 'authorization: Bearer ACCESS_TOKEN' \\
  --header 'content-type: application/json'
PreviousClient Credentials FlowNextImplicit Flow with Form Post

Last updated

Was this helpful?