M2M overview
Machine-to-Machine (M2M)
You can use a Machine-to-Machine (M2M) application in Kinde to request access tokens using the OAuth 2.0 client credentials flow. These tokens can be used to call Kinde’s APIs or your own APIs with no user interaction required.
Before an M2M app can request a token for a specific API audience, it must be authorized for that API.
You can do this in the Kinde dashboard:
You can also authorize apps programmatically using the Kinde Management API.
If the app is not authorized for the given audience, the token request will fail.
Your M2M application will be provided with a client_id
and client_secret
which can be used to request a token.
To get a token, make a POST
request to your Kinde environment’s token endpoint:
POST https://<your-subdomain>.kinde.com/oauth2/token
The request body must include:
grant_type=client_credentials&client_id=<your-client-id>&client_secret=<your-client-secret>&audience=<your-api-audience>
If your app has scopes assigned, you can optionally request them:
&scope=read:users write:flags
Note: The audience
parameter tells Kinde which API the token is intended for. Use https://<your-subdomain>.kinde.com/api/v1
when calling Kinde’s management API. If you’re protecting your own custom API, the audience should match the identifier you registered for that API in Kinde.
curl --request POST 'https://your-subdomain.kinde.com/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=your-client-id' \ --data-urlencode 'client_secret=your-client-secret' \ --data-urlencode 'audience=your-api-audience' \ --data-urlencode 'scope=read:users write:flags'
A successful request returns a JSON response with an access token:
{ "access_token": "<token>", "token_type": "Bearer", "expires_in": 3600}
Once you have a token, include it as a Bearer token in the Authorization
header when making API calls:
Authorization: Bearer <token>
Calling a Kinde API:
curl https://your-subdomain.kinde.com/api/v1/organizations \ -H "Authorization: Bearer <token>"
audience
must match the intended API — tokens are only valid for the audience they’re issued for.org_code
trusted claim.You can also generate a token from the UI:
This is useful for debugging or verifying scopes and claims without writing code.