See openid-connect Menu

Client Credentials Grant

The OpenId Connect Client Credentials grant can be used for machine to machine authentication. In this grant a specific user is not authorized but rather the credentials are verified and a generic access_token is returned.

The access_token is a signed JSON Web Token (JWT) which contains expiry information. It’s authenticity can be verified without the need for further API calls which makes it useful for authorizing other services where latency is a concern.

Note that the access token returned is different to the access token generated via the OAuth 2.0 Tokens API. Therefore it can not be used to authorize API calls against other endpoints such as Users or Events.

Resource URL


Header Parameter



Required if Token Endpoint Authentication Method is set to Basic

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');





Resource Parameter




Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is

Request Parameter




Set to “client_credentials”



The OneLogin generated Client ID for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.



The OneLogin generated Client Secret for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.



Optional. When API Authorization is configured, specify the API Resource Identifier here to generate a customized Access Token that can be used for authorizing access to apis and api gateways.

e.g. resource=



Optional. When API Authorization is configured, you can specific a space separated list of scopes that have been approved for the API Authorization client. These scopes will be included in the Access Token that is returned.

Sample Request Body


Sample Response

    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80Vl9xbDFiZG9pTVhtY1lnSG00SHMifQ.eyJqdGkiOiJ1N2FTRDgyNFdrSnd0d3ZuZzZObWYiLCJpc3MiOiJodHRwczovL29wZW5pZC1jb25uZWN0Lm9uZWxvZ2luLmNvbS9vaWRjIiwiaWF0IjoxNTM0ODExODI2LCJleHAiOjE1MzQ4MTI0MjYsImF1ZCI6IjlhNmQ2MzUwLTJhZjgtMDEzNi0xOTdiLTA2YWNjNzZkMzRiNDkyOTIwIn0.VtybpMirTTrRGiYsJfX-yIjVkqkuyc1gj7pbim0ecOde3ku75Zvyh42nxkKdxxzBuMvWZpulpiaFru6ZAnd6MxZj9VyKmqZ3xFhBr0GRKzScRJjnX2_cAHCJtr7AqwxolaGsu4iZUolOrTdhX1BU3skLvNYE05TdeEITUsilEPL0ew5VV8MzYFQkY7Grr47MxpwEUv7yT6C3pz87Bgg5_7zFPHpLLeCRC8bhMK0rRe9uyK9ExQKIkLlf5Hyh1gfWqrTYwgXfIQt1Ba7IiAMAQvN60VTDbSxLBl0_x-vE-ezVfyHkN4d6owF37wOruoLsZ8c1braUNOWY00xkPwxxTQ",
    "expires_in": 600,
    "token_type": "Bearer"

The grant_type MUST be set to client_credentials

    "error": "unsupported_grant_type",
    "error_description": "unsupported grant_type requested (xxxx)"

The authorization header is invalid

    "error": "invalid_request",
    "error_description": "invalid authorization header value format"

Invalid client_id or client_secret

    "error": "invalid_client",
    "error_description": "client authentication failed"

Response Elements


A JWT that represents the session that has just been created.

For example the body of the JWT contains:

  "jti": "s0r5Z9z6LTJPs2xP2sipi",
  "iss": "",
  "iat": 1534812736,
  "exp": 1534813336,
  "aud": "9a6d6350-2af8-0136-197b-06acc76d34b492920"
expires_in The number of seconds until the session expires.
token_type The type of access token. Always set to “Bearer”

Sample Code


Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials"

Postman Collection

Run In Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.