Client Credentials Flow



Setup the OAuth2 client custom application and select auth method as "client creds". The OAuth2 client application must be used to call CyberArk Identity APIs.


Setup the OAuth2 server custom application and select auth method as "client creds". The OAuth2 server application must be used to callcustom application APIs. Here CyberArk Identity acts as authorization server and custom app as resource server

Create a confidential client

With the increase in automated devices, the scope for M2M communication has reached multiple parts such as communication between two backend devices, service-to-service communication, backend to the demon, CLI client to internal service, etc. In contrast with usual authentication where the user uses a Password or other MFAs to clear authentication, an application or a process needs to be authenticated by establishing trust in the system.

The Client Credentials grant is used for M2M flows when applications request an access token to access protected resources. In this flow, the client application provides a client ID and a client secret to obtain an access token from a tenant. This grant flow is mainly used for machine-to-machine communications.

How does it work?


In this flow,

  • The client application (or relying party) requests access tokens from CyberArk Identity.
  • CyberArk Identity authenticates the client and returns the access token.
  • The client application uses the access token to request protected resources.

Integrate CyberArk Identity's client credentials flow

The first API that is invoked is /token/.

The body of the request should be a form-post and specifies a grant_type of client_credentials, client_id and client_secret which are the username and password of the service user and, optionally, a scope:

https://<yourtenant>/oauth2/token/<your app ID>

  "client_id": <client_id>,
  "client_secret": <client_secret>

The response contains an access_token for use in subsequent API calls, as well as information about the token's expiration time, the scope for which access was granted, and the type of token issued:

	access_token = "abc1234asdf9823...",

The token can then be used in subsequent API calls by including it in the Authorization header along with the type of token. For example:


Header: Authorization Bearer abc1234asdf9823...




Integrate client credentials flow using CyberArk Identity SDKs