Guides
Client Credentials
Authenticate a backend service with no user context using client credentials.
The client credentials grant is for backend-to-backend calls where there is no user. Your service authenticates with its own client_id and client_secret and receives an access token scoped to that service.
There are no refresh tokens — when the token expires, request a new one.
Endpoint
| Token | POST https://auth.xeonr.io/api/v1/oauth/token |
Requesting a token
POST /api/v1/oauth/token HTTP/1.1
Host: auth.xeonr.io
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=550e8400-e29b-41d4-a716-446655440000
&client_secret=YOUR_CLIENT_SECRET
&scope=my-app%3AreadOr pass credentials as HTTP Basic auth:
POST /api/v1/oauth/token HTTP/1.1
Host: auth.xeonr.io
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&scope=my-app%3AreadParameters:
| Parameter | Required | Description |
|---|---|---|
grant_type | Yes | client_credentials |
client_id | Yes | Your client UUID |
client_secret | Yes | Your client secret |
scope | No | Space-separated scopes to request |
Response:
{
"access_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "my-app:read"
}No refresh_token or id_token is returned.
Token lifetime
Access tokens are valid for 3600 seconds. When a token expires, request a new one using the same request — there is no refresh mechanism for this grant type.