Section 4: Obtaining Access Tokens via Client Credentials Grant

The Client Credentials Grant flow is used where your application authenticates directly to the OFP without user involvement. This is used to obtain access tokens for operations like retrieving the providers list and consent management.

Overview

This section covers how to obtain an access token using the Client Credentials Grant flow with FAPI 2.0 compliance.

The Client Credentials Grant requires client authentication. Review the Client Authentication Methods section to understand your options before proceeding.

Prerequisites

Before making a Client Credentials Grant request, ensure you have:

Making the Request

Endpoint

POST {{token_endpoint}}

Transport Security

mTLS required - Use your transport certificate and key

Headers

Content-Type: application/x-www-form-urlencoded
x-fapi-interaction-id: 550e8400-e29b-41d4-a716-446655440000

Request Body (Form-Encoded)

Base parameters (always required):

grant_type=client_credentials
&client_id={{CLIENT_ID}}
&scope=accounts

Plus client authentication parameters:

• If using private_key_jwt: See Method 1: private_key_jwt for how to add client_assertion_type and client_assertion
• If using tls_client_auth: No additional parameters needed; mTLS connection proves identity

Example cURL Request (private_key_jwt)

curl -X POST "{{token_endpoint}}" \
  --cert /path/to/transport-certificate.pem \
  --key /path/to/transport-key.pem \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "x-fapi-interaction-id: 550e8400-e29b-41d4-a716-446655440000" \
  -d "grant_type=client_credentials" \
  -d "client_id={{CLIENT_ID}}" \
  -d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
  -d "client_assertion={{SIGNED_CLIENT_ASSERTION_JWT}}" \
  -d "scope=accounts"

Example cURL Request (tls_client_auth)

curl -X POST "{{token_endpoint}}" \
  --cert /path/to/transport-certificate.pem \
  --key /path/to/transport-key.pem \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "x-fapi-interaction-id: 550e8400-e29b-41d4-a716-446655440000" \
  -d "grant_type=client_credentials" \
  -d "client_id={{CLIENT_ID}}" \
  -d "scope=accounts"

Response

200 - Success Response

{
  "access_token": "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "accounts"
}

Response Fields:

• access_token: The access token to use in subsequent API requests. Store this securely.
• token_type: Always Bearer for FAPI 2.0
• expires_in: Lifetime of the token in seconds (typically 3600 = 1 hour)
• scope: The scope granted, echoed back (should be accounts)

Using the Access Token

Include the access token in subsequent API requests:

curl -X GET "{{resource_endpoint}}" \
  --cert /path/to/transport-certificate.pem \
  --key /path/to/transport-key.pem \
  -H "Authorization: Bearer {{ACCESS_TOKEN}}" \
  -H "x-fapi-interaction-id: 550e8400-e29b-41d4-a716-446655440000"

Replace {{ACCESS_TOKEN}} with the value from the access_token field in the response.

Token Expiration

Client Credentials Grant tokens do not support refresh tokens. When the token expires (after expires_in seconds):

1. Repeat the Client Credentials Grant request to obtain a new access token
2. Implement token caching and expiration checking in your application to minimize endpoint calls

Next Steps

Once you have obtained an access token:

• Section 5: Discovering Data Providers - Use the token to call the Providers endpoint
• Section 6: Creating a Consent - Proceed to create a consent for user authorization

Related Documentation

• Client Authentication Methods - Detailed guide to both authentication approaches
• Section 2: Discovering OFP Endpoints via Well-Known - How to get the token_endpoint URL