Consumer Authentication

/

API reference

/

M2M Authentication

/

Token

/

Get Access Token

Get Access Token

POSThttps://test.stytch.com/v1/public/{project_id}/oauth2/token

Retrieve an access token for the given M2M Client. Access tokens are JWTs signed with the project's JWKS , and are valid for one hour after issuance. M2M Access tokens contain a standard set of claims as well as any custom claims generated from templates.

M2M Access tokens can be validated locally using the Authenticate Access Token method in the Stytch Backend SDKs, or with any library that supports JWT signature validation.

Here is an example of a standard set of claims from a M2M Access Token:

{
  "sub": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
  "iss": "stytch.com/PROJECT_ID",
  "aud": ["PROJECT_ID"],
  "scope": "read:users write:users",
  "iat": 4102473300,
  "nbf": 4102473300,
  "exp": 4102476900
}

Important: Unlike other Stytch API endpoints, this endpoint is not authenticated with a project_id and project_secret pair. Instead, it is authenticated via the client_id and client_secret of an active M2M Client within the current project.

This endpoint is a RFC-6749 compliant token issuing endpoint.

  • This endpoint supports passing the client_id and client_secret within the request body as well as within a HTTP-Basic Auth header.
  • This endpoint supports both application/json and application/x-www-form-urlencoded content types.

Path parameters


project_id*string

Body parameters


client_id*string

client_secret*string

scopestring

grant_type*string

Response fields


status_codeint

request_idstring

access_tokenstring

token_typestring

expires_innumber
curl --request POST \
	--url https://test.stytch.com/v1/public/PROJECT_ID/oauth2/token \
	-H 'Content-Type: application/json' \
	-d '{
		"client_id": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
		"client_secret": "NHQhc7ZqsXJVtgmN2MXr1etqsQrGAwJ-iBWNLKY7DzJj",
		"grant_type": "client_credentials"
	}'

RESPONSE

200
{
    "status_code": 200,
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
    "access_token": "eyJ...",
    "token_type": "bearer",
    "expires_in": 3600
}