Authkestra

Client Credentials Flow

The Client Credentials flow is used for machine-to-machine (M2M) authentication.

The Client Credentials flow is used for machine-to-machine (M2M) authentication where no user interaction is required.

Overview

Unlike user-facing OAuth flows, the Client Credentials grant authenticates the application itself rather than a user. The application presents its client ID and secret directly to the authorization server in exchange for an access token.

When to Use

Use Client Credentials when:

  • Backend Services: API-to-API communication between your services
  • Scheduled Jobs: Cron jobs or background workers that need API access
  • Microservices: Internal service authentication in a microservices architecture
  • CLI Tools: Automated scripts that run without user intervention

Not for User Authentication

Client Credentials should never be used to authenticate end users. Use the Authorization Code flow or other user-facing flows instead.

Implementation

use authkestra_flow::ClientCredentialsFlow;

// 1. Initialize the flow
let flow = ClientCredentialsFlow::new(client_id, client_secret, token_url);

// 2. Obtain an access token
let token = flow.get_token(Some(&["read", "write"])).await?;

// 3. Use the token in your API calls
let client = reqwest::Client::new();
let response = client
    .get("https://api.example.com/data")
    .bearer_auth(&token.access_token)
    .send()
    .await?;

Full Example

For a complete working implementation including environment configuration and error handling, see the example in the repository:

Security Considerations

Protect Your Secrets

  • Never expose client secrets in client-side code or version control
  • Use environment variables or secure secret management
  • Rotate secrets regularly
  • Use the minimum required scopes
// Good: Load from environment
let secret = std::env::var("AUTHKESTRA_CLIENT_SECRET")?;

// Better: Use a secrets manager
let secret = secrets_manager.get_secret("oauth/client-secret").await?;

// Never: Hardcode secrets
let secret = "my-super-secret-key"; // DON'T DO THIS

Direct Credentials Flow

The Credentials Flow enables traditional username/password authentication without relying on external OAuth providers.

Device Flow

The Device Authorization Flow (RFC 8628) enables authentication on devices with limited input capabilities. like smart TVs, CLI tools, or IoT devices.

On this page

OverviewWhen to UseImplementationFull ExampleSecurity Considerations