Client Credentials Flow

The client credentials flow is used for accessing an API on behalf of your app. This flow should not be used for APIs that require a user context. The client credentials flow can only be initiated once a customeruser has installed your app.

Obtaining a Token

Node.js Client Credentials Flow

const axios = require("axios");

const CLIENT_ID = "5d24c3ac-ceae-405d-bf5f-12131fc92dc8";
const CLIENT_SECRET = "gs_...";

const customerorg = "ca7308e0-b666-4a87-8f7e-ec96040750bc";

axios
  .post(
    "https://{marketplace_url}/oauth/token",
    new URLSearchParams({
      grant_type: "client_credentials",
      client_id: CLIENT_ID,
      client_secret: CLIENT_SECRET,
      target: customerorg,
    }),
    {
      headers: { "Content-Type": "application/x-www-form-urlencoded" },
    }
  })
  .then((response) => console.log(response.data))
  .catch((error) => console.error(error));

Request Parameters

Parameter

Value

grant_type

client_credentials

client_id

Your app's client ID is found in the partner portal.

client_secret

Your app's client secret is found in the partner portal. You must keep this secure!

target or target_id

The unique partnerorg identifier passed as the target or target_id parameter to your app's installation URL.

scope

(optional) A space-delineated list of scopes you are requesting. Gobo will only grant scopes that the app has already approved during installation. Leaving this blank will request all scopes to which the app has been approved.

Response

Client Credentials Response

{
    "access_token": "eyJhbGci...",
    "expires_in": 28800,
    "token_type": "Bearer",
    "scope": "foo bar"
}

The client credentials flow should only be used by private clients (e.g. a backend web server) as it exposes the client secret. It should never be used by JavaScript in the browser.

Last updated 1 year ago