Skip to content
  • Machine-to-Machine (M2M)
  • Overview

Authenticate with M2M applications

You can use a Machine-to-Machine (M2M) application in Kinde to request access tokens using the OAuth 2.0 client credentials flow. These tokens can be used to call Kinde’s APIs or your own APIs with no user interaction required.

Authorize your application

Link to this section

Before an M2M app can request a token for a specific API audience, it must be authorized for that API.

You can do this in the Kinde dashboard:

  1. Go to the M2M application
  2. Select APIs
  3. Choose which APIs this app is allowed to call
  4. Select Save

You can also authorize apps programmatically using the Kinde Management API.

If the app is not authorized for the given audience, the token request will fail.

Get an access token

Link to this section

Your M2M application will be provided with a client_id and client_secret which can be used to request a token.

To get a token, make a POST request to your Kinde environment’s token endpoint:

POST https://<your-subdomain>.kinde.com/oauth2/token

Required parameters

Link to this section

The request body must include:

grant_type=client_credentials
&client_id=<your-client-id>
&client_secret=<your-client-secret>
&audience=<your-api-audience>

If your app has scopes assigned, you can optionally request them:

&scope=read:users write:flags

Note: The audience parameter tells Kinde which API the token is intended for. Use https://<your-subdomain>.kinde.com/api/v1 when calling Kinde’s management API. If you’re protecting your own custom API, the audience should match the identifier you registered for that API in Kinde.

Example (cURL)

Link to this section
Terminal window
curl --request POST 'https://your-subdomain.kinde.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=your-client-id' \
--data-urlencode 'client_secret=your-client-secret' \
--data-urlencode 'audience=your-api-audience' \
--data-urlencode 'scope=read:users write:flags'

Successful response

Link to this section

A successful request returns a JSON response with an access token:

{
"access_token": "<token>",
"token_type": "Bearer",
"expires_in": 3600
}

Once you have a token, include it as a Bearer token in the Authorization header when making API calls:

Authorization: Bearer <token>

Calling a Kinde API:

Terminal window
curl https://your-subdomain.kinde.com/api/v1/organizations \
-H "Authorization: Bearer <token>"
  • Access tokens are valid for 1 hour by default.
  • The audience must match the intended API — tokens are only valid for the audience they’re issued for.
  • You can request multiple audiences
  • If your M2M app is scoped to an organization, the token will include the org_code trusted claim.
  • Tokens are JWTs and can be decoded to inspect claims using standard libraries or tools like Kinde’s JWT decoder.

Test your M2M app from the Kinde dashboard

Link to this section

You can also generate a token from the UI:

  1. Go to your M2M app in Kinde
  2. Select the Test tab
  3. Choose the API you want to test against
  4. Select Generate token
  5. Copy the access token and use it in your API requests

This is useful for debugging or verifying scopes and claims without writing code.