← Lessons

quiz vs the machine

Gold1340

Security

Machine To Machine Auth With Client Credentials

How services authenticate to each other without a human in the loop.

4 min read · core · beat Gold to climb

When There Is No User

The client credentials grant lets one service obtain an access token to call another, with no human present. The client proves its own identity with a client id and secret and receives a token scoped to what it may do.

How It Differs

  • There is no user consent because the client acts on its own behalf.
  • The token represents the application, not a person, so scopes must be tight.
  • Credentials are long lived, which makes their storage and rotation critical.

Doing It Safely

  • Store the client secret in a secrets manager, never in source.
  • Request the minimum scopes required for each integration.
  • Prefer short lived tokens and rotate client secrets on a schedule.
  • Consider stronger client authentication such as a private key over a shared secret.

Key idea

Client credentials authenticate a service to a service with no user consent, so scope tokens tightly, protect the secret, and rotate it regularly.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a client credentials token represent?

2. Why is secret handling especially important here?