Skip to main content
curl --request POST \
  --url https://test.stytch.com/v1/public/PROJECT_ID/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
    "client_secret": "NHQhc7ZqsXJVtgmN2MXr1etqsQrGAwJ-iBWNLKY7DzJj",
    "grant_type": "client_credentials"
  }'

{
    "status_code": 200,
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
    "access_token": "eyJ...",
    "token_type": "bearer",
    "expires_in": 3600
}
POST
/
v1
/
public
/
{project_id}
/
oauth2
/
token
curl --request POST \
  --url https://test.stytch.com/v1/public/PROJECT_ID/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
    "client_secret": "NHQhc7ZqsXJVtgmN2MXr1etqsQrGAwJ-iBWNLKY7DzJj",
    "grant_type": "client_credentials"
  }'

{
    "status_code": 200,
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
    "access_token": "eyJ...",
    "token_type": "bearer",
    "expires_in": 3600
}
Access tokens are JWTs signed with the project’s JWKS and are valid for one hour after issuance. M2M Access tokens contain a standard set of claims as well as any custom claims generated from templates. M2M Access tokens can be validated locally using the Authenticate Access Tokenmethod in the Stytch Backend SDKs, or with any library that supports JWT signature validation. Here is an example of a standard set of claims from an M2M Access Token: 
  {
    "sub": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
    "iss": "stytch.com/PROJECT_ID",
    "aud": ["PROJECT_ID"],
    "scope": "read:users write:users",
    "iat": 4102473300,
    "nbf": 4102473300,
    "exp": 4102476900
  }
Unlike other Stytch API endpoints, this endpoint is not authenticated with a project_id and project_secret pair. Instead, it is authenticated via the client_id and client_secret of an active M2M Client within the current project.
This endpoint is a RFC-6749 compliant token issuing endpoint.
  • This endpoint supports passing the client_id and client_secret within the request body as well as within a HTTP-Basic Auth header.
  • This endpoint supports both application/json and application/x-www-form-urlencoded content types.

Path parameters

project_id
string
required
The ID of the Stytch project.

Body

client_id
string
required
The ID of the client.
client_secret
string
required
The secret of the client.
scope
string
A space delimited string of scopes requested. If omitted, all scopes assigned to the client will be returned.
grant_type
string
required
The OAuth2 defined grant type that should be used to acquire an access token. Only “client_credentials” is supported for M2M Clients. An error will be returned if this parameter is omitted.

Response

access_token
string
The access token granted to the client. Access tokens are JWTs signed with the project’s JWKS.
token_type
string
The type of the returned access token. Today, this value will always be equal to “bearer”
expires_in
number
The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
request_id
string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
status_code
number
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.