Skip to content
  • SDKs and APIs
  • Your APIs

Get a M2M access token to test your APIs

This doc describes how to test the security of token exchange for your API connection and M2M apps, using Postman and Authorization code (with PKCE).

You can use this process to request tokens for your own and third-party APIs, and to test custom scopes added to claims. Below are the steps to generate id and access tokens with Postman.

If you are testing user access tokens, see [Get a user access token to test your APIs].

Step 1: Add your API to Kinde

Link to this section

If you haven’t already, register your API with Kinde and set the audience.

Step 2: (Optional) Set up custom scopes for API access

Link to this section

If you have the relevant Kinde plan, you can add custom scopes to M2M access tokens for added API security. You might want to test these as part of this procedure.

Step 3: Send request via Postman

Link to this section

To securely connect to Kinde’s API, you need to obtain an access token. This procedure describes how to get the token using Postman - an API platform - but you can follow similar steps in your own app environment.

We recommend you do this in a non-production environment first. If you decide to use Postman, we recommended that you set up a Postman environment.

  1. Add your machine to machine application keys as environment variables.

    Adding environment variables in Postman

  2. Set up a new collection or use your existing one.

  3. Go to the Authorization tab and ensure the Type is OAuth 2.0 and the Header Prefix is set to Bearer.

  4. In the Configure New Token section, set the Grant Type to Client Credentials. This is the grant type for hitting your API.

  5. Enter the Access Token URL, using the domain variable you created above. For example, Note that even if you use a custom subdomain domain, the access token URL needs to include the domain.

    Entering the access token URL

  6. Enter the Client ID and Client Secret for the M2M application you created in Kinde.

  7. (If you are using scopes) Add scopes to the token request. Enter scope values separated by a space, e.g. read:calendar update:event delete:event

  8. Set the audience to https://[yourdomain] (replacing [your domain]). To do this:

    1. Scroll down and expand the Advanced section.

    2. Add audience as the key and paste the URL as the value.

    3. Set the Send in to Request body

  9. In the Authorization section, select Get New Access Token. If it works, you should see a confirmation message.

    Access Token in Postman

  10. Select Use Token. You should now have the access token.

Step 4: Validate the token in your API

Link to this section

Check that the token contains the required information and is valid. Testing methods may vary depending on your framework, here’s a general topic for verifying JWTs and some recommended libraries.

Things to check, include:

  • Audience
  • Lifetime / validity
  • Scopes