Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
apiproxy simplifying invoke Apr 22, 2016 added note about base64 Apr 22, 2016 use printf instead of echo for more shell consistency May 22, 2019 adding zip Apr 22, 2016

Client credentials grant type

This sample lets you request an OAuth token from Edge using the OAuth 2.0 client credentials grant type flow.

About client credentials

Most typically, this grant type is used when the app is also the resource owner. For example, an app may need to access a backend cloud-based storage service to store and retrieve data that it uses to perform its work, rather than data specifically owned by the end user. This grant type flow occurs strictly between a client app and the authorization server. An end user does not participate in this grant type flow.

How it works

With the client credentials grant type flow, the client app requests an access token directly by providing its client ID and client secret keys. These keys are generated when you create a Developer App in Apigee Edge. Edge validates the credentials and returns an access token to the client. The client can then make secure calls to the resource server.

The API is called like this, where the client ID and secret are Base64-encoded and used in the Basic Auth header:

curl -H "Authorization: Basic <base64-encoded key:secret>"

The flow of this grant type looks like this:

alt text

Implementation on Apigee Edge

The client credentials sample uses one policy that executes on Apigee Edge: An OAuthV2 policy to generate the access token. The policy is attached to the /accesstoken endpoint (a custom flow on Apigee Edge).


To run this sample, you'll need:

  • The username and password that you use to login to

  • The name of the organization in which you have an account. Login to and check account settings.


  1. Edit this script with your environment details:


  2. cd to api-platform-samples/setup/provisioning

  3. Execute this script to set up required API products, developers, and apps in your organization:


  4. Enter your Edge password when prompted.

  5. Enter the name of this sample proxy when prompted. It is oauth-client-credentials.

Deploy and run the sample project

To deploy, run $ sh

To test, run $ sh


The script builds and executes the curl command shown below. The command calls the access token endpoint on Apigee Edge with the URL encoded client ID and client secret keys sent in the Authorization header.

curl -H "Authorization: Basic <base64-encoded key:secret>" 

AccessToken Response: 
  "issued_at" : "1416157639014",
  "application_name" : "e49ef95f-6d32-4062-ac9a-3beea62ca922",
  "scope" : "",
  "status" : "approved",
  "api_product_list" : "[Test App product]",
  "expires_in" : "3599",
  "" : "",
  "organization_id" : "0",
  "token_type" : "BearerToken",
  "client_id" : "kWocGgKENrdWRT0jq4l0F0ACnPAQsD3",
  "access_token" : "WNSnwquKualbgnGeAK0EXGqzO3A",
  "organization_name" : "example",
  "refresh_token_expires_in" : "0",
  "refresh_count" : "0"

Ask the community

alt text

Copyright © 2016 Apigee Corporation

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

You can’t perform that action at this time.