Table of Contents

Step-by-Step: Client Credentials Flow

This walkthrough shows how a service app authenticates with the ERP.net Identity Server and calls the APIs using the Client Credentials grant.

Prerequisites

Register a Trusted Application with:

Attribute Value Notes
ApplicationUri my.trusted.app/service Used as client_id
ClientType Confidential Service app must keep a secret
ApplicationSecretHash base64(sha256(your-secret)) Store only the hash
SystemUserAllowed true Enables service access
SystemUser svc.integration Least-privilege account
Scope read DomainApi Request only what you need
IsEnabled true App is active

1) Request an access token

HTTP form:

POST /id/connect/token HTTP/1.1
Host: testdb.my.erp.net
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_id=my.trusted.app/service&
client_secret=<your_plain_client_secret>&
scope=read

Successful response

{
  "access_token": "<access_token>",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "read"
}

2) Call ERP.net APIs

GET /api/domain/odata/Crm_Customers?$top=10 HTTP/1.1
Host: testdb.my.erp.net
Authorization: Bearer <access_token>
  • The call executes under the System User configured in the Trusted Application.
  • A session is created when the token is first used, not when issued.

3) Handle expiry

When API returns 401 Unauthorized, the access token likely expired. Request a fresh token with the same client credentials and retry the API call.

Note

Refresh tokens are not issued for Client Credentials. Always request a new access token.

Security best practices

  • Store client_secret only on secure servers. Never ship secrets to browsers or mobile apps.
  • Use a dedicated System User with least privilege. Rotate its password and the client secret periodically.
  • Do not log full tokens. Log hashes or last 6 to 8 characters for traceability.
  • Send requests only to the correct instance: https://{instance}/id.

Full samples

Learn More

Suggest improvement to this page