This tutorial will help you call your API from a machine-to-machine (M2M) application using the Client Credentials Flow. To learn how the flow works and why you should use it, read Client Credentials Flow.
Auth0 makes it easy for your application to implement the Client Credentials Flow. Following successful authentication, the application will have access to an , which can be used to call your protected APIs. To learn more about access tokens, read Access Tokens.

Prerequisites

Before beginning this tutorial:

Steps

  1. Request tokens: From the authorized application, request an access token for your API.
  2. Call API: Use the retrieved access token to call your API.
Optional: Explore sample use cases

Request tokens

To access your API, you must request an access token for it. To do so, you will need to POST to the token URL.

Example POST to token URL

curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data audience=YOUR_API_IDENTIFIER
Parameters
Parameter NameDescription
grant_typeSet this to “client_credentials”.
client_idYour application’s Client ID. You can find this value on the application’s settings tab.
client_secretYour application’s Client Secret. You can find this value on the application’s settings tab. To learn more about available application authentication methods, read Application Credentials.
audienceThe audience for the token, which is your API. You can find this in the Identifier field on your API’s settings tab.
organizationOptional. The organization name or identifier you want the request to be associated with. To learn more, read Machine-to-Machine Access for Organizations.

Response

If all goes well, you’ll receive an HTTP 200 response with a payload containing access_token, token_type, and expires_in values: 
{
  "access_token":"eyJz93a...k4laUWw",
  "token_type":"Bearer",
  "expires_in":86400
}
Validate your tokens before saving them. To learn how, read Validate ID Tokens and Validate Access Tokens.

Call API

To call your API from the M2M application, the application must pass the retrieved access token as a Bearer token in the Authorization header of your HTTP request. 
curl --request GET \
  --url https://myapi.com/api \
  --header 'authorization: Bearer ACCESS_TOKEN' \
  --header 'content-type: application/json'

Sample use cases

Customize tokens

You can use Actions to deny access tokens based on custom logic and/or add claims to access tokens. Auth0 invokes Actions attached to the client credentials grant at runtime to execute your custom logic. To learn more, read about the Actions Machine to Machine Flow.

View sample application: server client + API

For a sample implementation, read the Server Client + API architecture scenario. This series of tutorials is accompanied by a code sample that you can access in GitHub. Once your API receives a request with an access token, it will need to validate the token. To learn more, read Validate Access Tokens.

Learn more