The OAuth 2.0 client credentials grant flow permits a web service to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.
In the client credentials flow, permissions are granted directly to the application itself by an administrator. (For example, when you create an in-house application and the seller confirms the connection between the in-house application and the seller’s stores, all permissions of that seller are granted directly to your application)
Since your client app has all the permissions that are needed, it does not need to request authorization from the resource owner anymore. So, it only needs to send its credentials (client_id and client_secret) to the authorization server to get an access token.
The authorization server will authenticate client credentials before returning a response with an access token.
These parameters you have to exchange with the authorization server at the token endpoint.
grant_type | | Fixed |
client_id | 7590139168389961 | Your app id |
client_secret | Send client secret in basic header or request body, see Token endpoint auth method |
The API request should look like (The following example uses the basic header method)
curl --location --request POST 'https://api.tiki.vn/sc/oauth2/token' \
--header 'Authorization: Basic NzU5MDEzOTE2ODM4OTk2MTp0ZlNsMGM2...' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
Finally, you get an access token. You should store your access tokens somewhere safe and make requests to retrieve protected resources with access token.
With client credentials, you have no refresh token. Every time your access token expires, you need only authenticate your client app credentials (using client credentials flow again) to acquire a new access token.