HomeLog In

Oauth2 Client credentials flow

Oauth2 Client Credentials flow is the most direct form of authentication. The Client Credentials must be treated confidentially and must not be disclosed to third parties.
In any case, the following guidelines apply:
The Client Credentials are not accessible by or visible to the user.
The code is not plainly accessible in a public downloadable binary.

The client credentials consist of two fields:


After registration, the Client Credentials are provided per application by email.

These credentials can be exchanged for a JWT (JSON web token), which can then be used to communicate with the APIs. This takes place via the OAuth2 client credentials flow. You can read about this in Okta's documentation:

TheURL with which credentials can be exchanged for a JWT is included in the configuration files of the authentication server:




Configure token endpoint

Please note that depending on the OAuth library that you use, you have to either configure the token endpoint directly (, or the address of the authorization server itself (

The obtained JWT has to be included with every API call in the Authorization HTTP header, preceded by 'Bearer'.

This JWT is an encrypted JSON message. You can read more about this token and you can also easily inspect the contents on

Using the API-key and the JWT-token, the data of the user can be accessed.

The implementation will then look as follows:

More information can be found here:


By executing the following requests one can easily validate if the authentication properly works.

First request a token. Replace the CLIENT_ID and CLIENT_SECRET placeholders with your personal values.

curl --location --request POST '' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=##CLIENT_ID##' \
--data-urlencode 'client_secret=##CLIENT_SECRET##' \
--data-urlencode 'scope=role:app catalog:read sales-order:write organization:read supply:read supply:write sales-order:read delivery-conditions:read fulfillment:write fulfillment:read'

With the returned access token try to GET all organization belonging to the account identified by the API-Key.

curl --location --request GET '' \
--header 'X-Api-Key: ##API_KEY##' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer ##ACCESS_TOKEN##