Client Credentials Flow

Last Updated:

This method is ideal for machine-to-machine authentication. Your solution application securely stores its API key and API secret. Then passes them to Fortellis in exchange for an access token. The flow has two steps:

  1. Your application passes its client credentials to your Fortellis authorization server.
  2. The Fortellis servers respond granting an access token if the credentials are authorized.

API Key & Secret

Your client solution application will need to have its API key and API secret stored within your code. Find your API key and API secret in your Fortellis developer account. These are passed via Basic Authentication (username: API key; password: API secret) in the request to the authorization server’s token endpoint. See the example below:

curl --request POST \
  --url https://identity.fortellis.io/oauth2/aus1p1ixy7YL8cMq02p7/v1/token \
  --header 'accept: application/json' \
  --header 'authorization: Basic MG9hY...' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&redirect_uri={your_reirect_uri}&scope=anonymous'

NOTE: the API key and API secret aren’t included in the POST body. Instead, they're placed in the HTTP Authorization header following the rules of HTTP Basic Auth. The following table defines the parameters that are passed in the client credentials flow:

Parameter Description
grant_type The user client_credentials grant type.
redirect_uri Must match the Callback URL you specified when you registered your solution. This is optional.
scope Must be anonymous. Currently, anonymous is the only valid scope for this flow.
 

If the user credentials are valid, the application will receive back an access token. See the following example:

{
    "access_token": "eyJhbG[...]1LQ",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "anonymous"
}