search

Client Credentials Flow

The client credentials flow is used for accessing an API on behalf of your app. This flow should not be used for APIs that require a user context. The client credentials flow can only be initiated once a customeruser has installed your app.

hashtag
Obtaining a Token

Node.js Client Credentials Flow
const axios = require("axios");

const CLIENT_ID = "5d24c3ac-ceae-405d-bf5f-12131fc92dc8";
const CLIENT_SECRET = "gs_...";

const customerorg = "ca7308e0-b666-4a87-8f7e-ec96040750bc";

axios
  .post(
    "https://{marketplace_url}/oauth/token",
    new URLSearchParams({
      grant_type: "client_credentials",
      client_id: CLIENT_ID,
      client_secret: CLIENT_SECRET,
      target: customerorg,
    }),
    {
      headers: { "Content-Type": "application/x-www-form-urlencoded" },
    }
  })
  .then((response) => console.log(response.data))
  .catch((error) => console.error(error));

hashtag
Request Parameters

Parameter
Value

grant_type

client_credentials

client_id

Your app's client ID is found in the partner portal.

client_secret

Your app's client secret is found in the partner portal. You must keep this secure!

target or target_id

The unique partnerorg identifier passed as the target or target_id parameter to your app's installation URL.

scope

(optional) A space-delineated list of scopes you are requesting. Gobo will only grant scopes that the app has already approved during installation. Leaving this blank will request all scopes to which the app has been approved.

hashtag
Response

circle-exclamation

The client credentials flow should only be used by private clients (e.g. a backend web server) as it exposes the client secret. It should never be used by JavaScript in the browser.

Last updated