Skip to content
  • Machine-to-Machine (M2M)
  • Overview

Quick start

This guide shows you how to create a Machine-to-Machine (M2M) application in Kinde, authorize it for an API, and use the client credentials flow to get a token and make a secure API request.

Step 1 - Create a machine-to-machine app

Link to this section
  1. Go to the Applications section in your Kinde dashboard
  2. Select Machine-to-machine apps
  3. Choose Add M2M application
  4. Enter a name

Step 2 - Create an API in Kinde (if you don’t have one)

Link to this section

You can skip this step if you already have an API registered in Kinde.

  1. Go to the APIs section in your Kinde dashboard
  2. Select Add API
  3. Enter a name
  4. Select Save

For more detail, see Register and manage APIs.

Step 3 - Authorize the app to access an API

Link to this section
  1. Open your newly created app
  2. Go to the APIs tab
  3. Select the API (audience) this app should be allowed to call.
  4. Select Save.

If you skip this step, token requests will be rejected.

Step 4 - (Optional) Add scopes

Link to this section

If your API uses scopes to define permissions:

  1. Go to APIs in your Kinde dashboard
  2. Choose the API you’re protecting
  3. Add scopes (e.g. read:users, write:flags)
  4. Go back to your M2M app and assign those scopes

For more detail, see Define and manage API scopes.

Step 5 - Get a token

Link to this section

You can test the app in one of two ways:

Option A - Use the Test tab in Kinde

Link to this section
  1. Open your M2M app
  2. Go to the Test tab
  3. Select the API (audience)
  4. Copy the generated token

Option B - Use the client credentials flow directly

Link to this section
Terminal window
curl --request POST 'https://<your-subdomain>.kinde.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=your-client-id' \
--data-urlencode 'client_secret=your-client-secret' \
--data-urlencode 'audience=<your-api-audience>' \
--data-urlencode 'scope=read:users write:flags'

The response will include a bearer token you can use in requests:

{
"access_token": "<token>",
"token_type": "Bearer",
"expires_in": 3600
}

Step 6 - Use the token in an API call

Link to this section

Include the token in the Authorization header:

Terminal window
curl https://your-subdomain.kinde.com/v1/organizations \
-H "Authorization: Bearer <token>"