Oauth2 Client credentials flow

Oauth2 Client Credentials flow is the most direct form of authorization. The Client Credentials must be treated confidentially and must not be disclosed to third parties.


The following guidelines apply:

  • The Client Credentials are not accessible by or visible to the user.
  • The code is not plainly accessible in a public downloadable binary.
  • An API key is required.
  • The Client Cedentials consist of two fields:

JSON web token

After registration, the Client Credentials are provided per application by email.

These Credentials can be exchanged for a JWT (JSON web token), which can then be used to communicate with the APIs. This takes place via the OAuth2 Client Credentials flow. Read more about this in Okta's documentation.

This JWT is an encrypted JSON message. To inspect the contents and learn more about this token, please visit www.jwt.io.

The URL with which credentials can be exchanged for a JWT is included in the configuration files of the authorization server:

Staging: https://idm.staging.floriday.io/oauth2/ausmw6b47z1BnlHkw0h7/.well-known/oauth-authorization-server

Live: https://idm.floriday.io/oauth2/aus3testdcf2vyfs70i7


Configure token endpoint

Please note that depending on the OAuth library that you use, you have to either:

Using the JWT-token

The obtained JWT has to be included with every API call in the Authorization HTTP header, preceded by 'Bearer'.

By using the API-key alongside the JWT-token, the user's data can be accessed.

The implementation will then look as follows:

More information can be found here: https://developer.okta.com/docs/guides/implement-client-creds/overview/


By executing the following requests, one can easily validate if the authorization properly works.

First request a token. Replace the CLIENT_ID and CLIENT_SECRET placeholders with your personal values.

curl --location --request POST 'https://idm.staging.floriday.io/oauth2/ausmw6b47z1BnlHkw0h7/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=##CLIENT_ID##' \
--data-urlencode 'client_secret=##CLIENT_SECRET##' \
--data-urlencode 'scope=role:app catalog:read sales-order:write organization:read supply:read supply:write sales-order:read delivery-conditions:read fulfillment:write fulfillment:read'

With the returned access token try to GET all organization belonging to the account identified by the API-Key.

For suppliers:

curl --location --request GET 'https://api.staging.floriday.io/suppliers-api-{version}/auth/key' \
--header 'X-Api-Key: ##API_KEY##' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer ##ACCESS_TOKEN##

For customers:

curl --location --request GET 'https://api.staging.floriday.io/customers-api-{version}/identities' \
--header 'X-Api-Key: ##API_KEY##' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer ##ACCESS_TOKEN##

If you're not getting a 200 response after these requests, please review your request or contact a Floriday Implementation Consultant.