API Management versions 7.5.X and 7.6.X have reached end of support in November 2020.
Check out the latest version of the documentation.

Client credentials grant flow

The client credentials grant type must only be used by confidential clients. The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control. The client can also request access to those of another resource owner that has been previously arranged with the authorization server (the method of which is beyond the scope of the specification).

Client Credentials Flow

Request an access token

The client token request should be sent in an HTTP POST to the token endpoint with the following parameters:

Parameter Description


Required. Must be set to client_credentials.


Optional. The scope of the authorization.


Optional. Expected return format. The default is json . Possible values are:

  • urlencoded
  • json
  • xml

The following is an example POST request:

POST /api/oauth/token HTTP/1.1
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Authorization:Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Handle the response

The API Gateway authenticates the client against the Client Application Registry. An access token is sent back to the client on success. A refresh token is not included in this flow. An example valid response is as follows:

HTTP/1.1 200 OK

Run the sample client

The following Jython sample client sends a request to the authorization server using the client credentials flow:


To run the sample, open a shell prompt at INSTALL_DIR/samples/scripts, and execute the following command:

> run oauth/client_credentials.py

The script outputs the following:

Sending up access token request using grant_type set to client_credentials
Response from access token request:200
Parsing the json response
**********************ACCESS TOKEN RESPONSE***********************************
Access token received from authorization server OjtVvNusLg2ujy3a6IXHhavqdE
Access token type received from authorization server Bearer
Access token expiry time:3599
Now we can try access the protected resource using the access token
Response from protected resource request is:200
<html>Congrats! You've hit an OAuth protected resource</html>

Related Links