Client Credentials Flow.
An OAuth 2.0 flow for machine-to-machine authentication where the client authenticates with its own credentials, no user involvement.
Client Credentials is for services authenticating themselves, not for AI agents acting on behalf of a user, the latter is the on-behalf-of pattern that requires Authorization Code or CIBA to capture user consent. Confusing the two leads to over-permissioned agent tokens that don't bind to the consenting user.
Common questions
When should I use Client Credentials Flow?
How does Client Credentials differ from user-driven flows?
Should I use client secrets or signed assertions?
Related terms
In the guides
AI Agent Identity and MCP: Authenticating Non-Human Identities
How CIAM evolves for AI agents in 2026: MCP, OAuth 2.1 Dynamic Client Registration, scoped agent tokens, and patterns separating agent from human identity.
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.