Client Credentials Grant
An OAuth 2.0 grant type for server-to-server authentication where the client authenticates directly with its own credentials, without a user context.
Description
The Client Credentials Grant is an OAuth 2.0 flow designed for machine-to-machine (M2M) communication where no user is involved. The client (a backend service, daemon, or CLI tool) authenticates directly with the authorization server using its own credentials (client_id and client_secret) and receives an access token. There is no user interaction, no browser redirect, and no refresh token -- the client simply requests a new token when the current one expires.
This grant type is appropriate for service-to-service calls in a microservices architecture, batch processing jobs, backend integrations with third-party APIs, and automated infrastructure operations. The client authenticates by sending a POST request to the token endpoint with grant_type=client_credentials, along with client authentication (typically HTTP Basic auth with client_id:client_secret, or client_id and client_secret in the POST body). The authorization server validates the credentials and returns an access token with the requested scopes.
Security considerations include protecting the client secret with the same rigor as a private key -- store it in environment variables or a secrets manager (not source code), rotate it periodically, and limit each client's scopes to the minimum necessary for its function. Use short-lived tokens (5-15 minutes) and implement token caching on the client side to avoid requesting a new token for every API call. In Kubernetes environments, consider using projected service account tokens or workload identity instead of static client secrets. The client credentials grant should never be used from client-side applications (browsers, mobile apps) where the client secret cannot be kept confidential.
Prompt Snippet
Implement the OAuth 2.0 Client Credentials Grant for service-to-service authentication. Configure each microservice with a unique client_id and client_secret stored in a secrets manager (AWS Secrets Manager, HashiCorp Vault). Request tokens from the authorization server via POST /oauth/token with grant_type=client_credentials and scope parameters. Cache the returned access token in memory with an expiration buffer (e.g., refresh 60 seconds before exp). Implement token refresh logic with retry and exponential backoff. On the resource server side, validate the access token and check that the azp (authorized party) or client_id claim matches the expected caller for the endpoint.
Tags
Related Terms
OAuth 2.0
An authorization framework that enables third-party applications to obtain limited access to a web service on behalf of a resource owner.
Authorization Code Grant
An OAuth 2.0 grant type where the client receives an authorization code via a browser redirect and exchanges it server-side for tokens, keeping tokens off the front channel.
Service-to-Service Auth (mTLS)
A transport-layer authentication mechanism where both client and server present X.509 certificates to mutually verify each other's identity, commonly used in service mesh architectures.
API Key Authentication
An authentication method where a unique key is issued to identify and authenticate API consumers, commonly used for server-to-server and third-party integrations.
Scope-Based Permissions
A permission model where access tokens carry scope strings that define the specific actions and resources the token is authorized to access.