> ## Documentation Index
> Fetch the complete documentation index at: https://developers.taboola.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Client Credentials Flow

a. Client submits a `client_id` and `client_secret` to the `token` endpoint. 
b. Server returns an *Access Token*.

<Callout icon="🚧" theme="warn">
  The `Content-Type` for this request is `application/x-www-form-urlencoded`.
</Callout>

Sample response:

```json 200
{
   "access_token": "CZ0OAAAAAAAAEdt7AgAAAAAAGAEgAClebYBnbQEAADooMDMyMDg2MmExZWNlYjIyYWJhMjc1OGI4NzJlMGZhNWI5ZDYxN2Q0YkAC::644420::78997c",
   "token_type": "bearer",
   "expires_in": 43200
}
```

```xml 400
<BadClientCredentialsException>
    <error>invalid_client</error>
    <error_description>Bad client credentials</error_description>
</BadClientCredentialsException>
```

```html 403
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 Could not verify the provided CSRF token because your session was not found.</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /authentication/oauth/token/. Reason:
<pre>    Could not verify the provided CSRF token because your session was not found.</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.15.v20190215</a><hr/>

</body>
</html>
```

> 📘 Note
>
> **No** *Refresh Token* is returned.

> 🚧 Troubleshooting
>
> Make sure that the endpoint URL does **not** contain a trailing ‘/’.
>
> Otherwise, the server returns **403 - Not Found**, with the following HTML message:
> *"Could not verify the provided CSRF token because your session was not found"*

# OpenAPI definition

```json
{
  "openapi": "3.1.0",
  "info": {
    "title": "backstage-api",
    "version": "1.0"
  },
  "servers": [
    {
      "url": "https://backstage.taboola.com"
    }
  ],
  "components": {
    "securitySchemes": {
      "sec0": {
        "type": "oauth2",
        "flows": {
          "clientCredentials": {
            "tokenUrl": "https://backstage.taboola.com/backstage/oauth/token",
            "scopes": {}
          },
          "password": {
            "tokenUrl": "https://backstage.taboola.com/backstage/oauth/token",
            "scopes": {}
          }
        }
      }
    }
  },
  "security": [
    {
      "sec0": []
    }
  ],
  "x-readme": {
    "headers": [],
    "explorer-enabled": false,
    "proxy-enabled": false
  },
  "paths": {
    "/backstage/oauth/token": {
      "post": {
        "summary": "Client Credentials Flow",
        "description": "a. Client submits a `client_id` and `client_secret` to the `token` endpoint. \nb. Server returns an *Access Token*.",
        "operationId": "client-credentials-flow",
        "requestBody": {
          "content": {
            "application/x-www-form-urlencoded": {
              "schema": {
                "type": "object",
                "required": [
                  "client_id",
                  "client_secret",
                  "grant_type"
                ],
                "properties": {
                  "client_id": {
                    "type": "string",
                    "description": "Your `client_id`(as provided by your Taboola account manager).",
                    "default": "MY_ID"
                  },
                  "client_secret": {
                    "type": "string",
                    "description": "Your `client_secret`(as provided by your Taboola account manager).",
                    "default": "MY_SECRET"
                  },
                  "grant_type": {
                    "type": "string",
                    "description": "For the *Client Credentials* flow, `grant_type` is **always** `client_credentials`.",
                    "default": "client_credentials"
                  }
                }
              }
            }
          }
        },
        "deprecated": false,
        "security": []
      }
    }
  }
}
```