TLS Client Authentication Grant Type

2.1.7.3.4 TLS Client Authentication Grant Type

When to use: For high-security backend integrations using mutual TLS.

Note:

Access token represents the application, not a user.
Refresh token returned only if offline_access is enabled in app configuration.

Sample code with mTLS enabled

curl --location 'https://<idcs_domain>/oauth2/v1/token' \
--header "Authorization: Basic <base64Encoded clientid:secret>" \
--header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=urn:opc:idm:__myscopes__' \
--data-urlencode 'client_id=<client_id>'

Sample response

{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "9e7d8f4a-xxxx-xxxx-xxxx-xxxx", }

For more details, see TLS Client Authentication Grant Type.