Retrieve an access token for the given M2M Client. Access tokens are JWTs signed with the project's JWKS , and are valid for one hour after issuance. M2M Access tokens contain a standard set of claims as well as any custom claims generated from templates.
M2M Access tokens can be validated locally using the Authenticate Access Token method in the Stytch Backend SDKs, or with any library that supports JWT signature validation.
Here is an example of a standard set of claims from a M2M Access Token:
{
"sub": "m2m-client-test-d731954d-dab3-4a2b-bdee-07f3ad1be885",
"iss": "stytch.com/PROJECT_ID",
"aud": ["PROJECT_ID"],
"scope": "read:users write:users",
"iat": 4102473300,
"nbf": 4102473300,
"exp": 4102476900
}
Important: Unlike other Stytch API endpoints, this endpoint is not authenticated with a project_id and project_secret pair. Instead, it is authenticated via the client_id and client_secret of an active M2M Client within the current project.
This endpoint is a RFC-6749 compliant token issuing endpoint.
- This endpoint supports passing the client_id and client_secret within the request body as well as within a HTTP-Basic Auth header.
- This endpoint supports both application/json and application/x-www-form-urlencoded content types.