---
title: "Get Tokens: Client Credentials Grant Type"
description: The client credentials type works in a similar way to the ROPC grant type and is used to provide an access token to a client based on the credentials or the client, not the resource owner. In this grant type, the client credentials are swapped for an access token (step 1 below).
component: developer-resources
page_id: developer-resources:oauth_20_developer_guide:client-credentials-grant-type
canonical_url: https://docs.pingidentity.com/developer-resources/oauth_20_developer_guide/client-credentials-grant-type.html
revdate: September 30, 2020
section_ids:
  sample-client-configuration: Sample Client Configuration
  getting-the-token: Getting the Token
---

# Get Tokens: Client Credentials Grant Type

The client credentials type works in a similar way to the ROPC grant type and is used to provide an access token to a client based on the credentials or the client, not the resource owner. In this grant type, the client credentials are swapped for an access token (step 1 below).

![Oauth cc flow](_images/qok1601508155833.png)

| Capability                                            |     |
| ----------------------------------------------------- | --- |
| Browser-based end user interaction                    | No  |
| Can use external IDP for authentication               | No  |
| Requires client authentication                        | Yes |
| Requires client to have knowledge of user credentials | No  |
| Refresh token allowed                                 | No  |
| Access token is in context of end user                | No  |

## Sample Client Configuration

For the client credentials example below, the following client information will be used:

| Admin Label           | OAuth2 Parameter | Example Value                        |
| --------------------- | ---------------- | ------------------------------------ |
| Client ID             | client\_id       | cc\_client                           |
| Client Authentication | client\_secret   | 2Federate                            |
| Allowed Grant Types   | grant\_type      | grant\_type of "client\_credentials" |
| Scope Settings        | scope            | edit                                 |

## Getting the Token

The client makes a request (HTTP POST) to the token endpoint with the client credentials presented as HTTP Basic authentication:

```
POST https://localhost:9031/as/token.oauth2 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Authorization: Basic Y2NfY2xpZW50OjJGZWRlcmF0ZQ==

grant_type=client_credentials
  &scope=edit
```

|   |                                                                                                                             |
| - | --------------------------------------------------------------------------------------------------------------------------- |
|   | The client credentials can also be provided using the client\_id and client\_secret parameters in the contents of the POST. |

The client will receive a response to this request. If successful, a 200 OK response will be received and the access token will be returned in a JSON structure. A refresh token will NOT be returned to the client.

```
HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

{
  "access_token":"zzz...yyy",
  "token_type":"Bearer",
  "expires_in":14400,
}
```