Glossary / Authorization
Client Credentials Grant
The client credentials grant is an OAuth 2.0 flow in which an application authenticates with its own credentials, rather than on behalf of a user, to obtain an access token for machine-to-machine communication.
Also: client credentials
The client credentials grant is an OAuth 2.0 flow designed for server-to-server communication where no end user is involved. The client application presents its own identifier and secret directly to the authorization server’s token endpoint and receives an access token in return. There is no browser redirect and no user login prompt.
This grant is used when a backend service needs to call an API on its own behalf. Examples include a nightly batch job synchronizing user records, a microservice requesting data from another internal service, or an integration pulling analytics from a third-party API. Because there is no user context, the issued token typically carries scopes tied to the application rather than to any individual.
For CIAM, the client credentials grant underpins the machine-to-machine layer, allowing backend systems and partner integrations to interact securely with the identity platform without involving a customer session.
Sources
- IETF RFC 6749, The OAuth 2.0 Authorization Framework: https://datatracker.ietf.org/doc/html/rfc6749
Related terms
Standards
- IETF RFC 6749