# Client Credentials Flow

The Client Credentials Flow (as defined in [OAuth 2.0 RFC 6749](https://tools.ietf.org/html/rfc6749#section-4.4)) involves an application exchanging its application credentials, such as [client ID](#user-content-fn-1)[^1] and [client secret](#user-content-fn-2)[^2], for an access token.

This flow is best suited for Machine-to-Machine (M2M) applications, such as CLIs, daemons, or backend services, because the system must authenticate and authorize the application instead of a user.

## How it works

<figure><img src="/files/qoOho57i6F9n0emOBv4H" alt=""><figcaption></figcaption></figure>

1. Client application sends application's credentials to the Authorization Server.
2. The Authorization Server validates application's credentials.
3. The Authorization Server responds with an access token.
4. The client application can use the access token to call the API on behalf of itself.
5. The API responds with requested data.

## Parameters

Following are the request parameters needed when making the fetch access token call to the authorization server.

<table><thead><tr><th width="275">Parameter Name</th><th>Description</th></tr></thead><tbody><tr><td><code>grant_type</code>  <strong>(required)</strong></td><td>Must be set to <code>client_credentials</code>.</td></tr><tr><td><code>client_id</code>  <strong>(required)</strong></td><td>The client application ID.</td></tr><tr><td><code>client_secret</code>  <strong>(required)</strong></td><td>The client application secret.</td></tr><tr><td><code>audience</code>  <strong>(required)</strong></td><td>The audience for the token, which is in fact the Switch API.</td></tr></tbody></table>

## Request

The following is an example authorization code grant request the Authorization Server would receive.

{% tabs %}
{% tab title="cURL" %}

```javascript
curl --request POST \
  --url 'https://{authorization-server.com}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data audience=API_AUDIENCE
```

{% endtab %}

{% tab title="C#" %}

```csharp
var client = new RestClient("https://{authorization-server.com}/oauth/token");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("application/x-www-form-urlencoded", "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&audience=API_AUDIENCE", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
```

{% endtab %}

{% tab title="Java" %}

```java
HttpResponse<String> response = Unirest.post("https://{authorization-server.com}/oauth/token")
  .header("content-type", "application/x-www-form-urlencoded")
  .body("grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&audience=API_AUDIENCE")
  .asString();
```

{% endtab %}

{% tab title="NodeJS" %}

```typescript
var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://{authorization-server.com}/oauth/token',
  headers: {'content-type': 'application/x-www-form-urlencoded'},
  data: new URLSearchParams({
    grant_type: 'client_credentials',
    client_id: 'YOUR_CLIENT_ID',
    client_secret: 'YOUR_CLIENT_SECRET',
    audience: 'API_AUDIENCE'
  })
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});
```

{% endtab %}
{% endtabs %}

## Response

If all goes well, you'll receive an `HTTP 200` response with a payload containing `access_token`, `token_type`, and `expires_in` values:

```json
{
  "access_token":"eyJz93a...k4laUWw",
  "token_type":"Bearer",
  "expires_in":86400
}
```

{% hint style="info" %}
The returned access token from the Switch Authorization Server will be valid for 24 hours only. After that you need to generate new one in order to be able to access the Switch API.
{% endhint %}

{% hint style="warning" %}
It is important that the fetched access token is cached by the client for the duration of its validity and reused for subsequent requests. The Switch Authorization Server imposes rate limits on the token endpoint which when reached will reject the requests to fetch an access token for a given time period.
{% endhint %}

{% hint style="info" %}
The Client Credentials flow is used by the platform [organization clients](/switch-api/authentication/organization-client.md) whose secrets can be managed by the organization administrators.
{% endhint %}

[^1]: Identification value given to your registered resource from Switchmarket Authorization Server.

[^2]: Secret used by a client (application) to authenticate with the Switchmarket Authorization Server; it should be known to only the client and the Switchmarket Authorization Server and must be sufficiently random to not be guessable.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.switchmarket.se/switch-api/authentication/client-credentials-flow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.