Client Credentials Grant
The OAuth 2.0 client credentials grant is designed for server-to-server authorization (without user involvement). A client (e.g., application server) directly submits "client ID + client secret" to the authorization server. Upon successful verification, it obtains an access token to access protected resources (e.g., APIs). This simple flow involves no user interaction and is primarily used for backend machine-to-machine authorization. This mode supports accessing interfaces using any employee's ID.
# Request Specification
HTTP Method: POST + application/json
Endpoint: https://${cloud domain}/oauth2.0/token?thirdTraceId=${Random String}
Important!!! This interface requires caching for at least 6600 seconds. The token should be refreshed by recalling this interface between 6650-7200 seconds. Otherwise, the token will expire after 7200 seconds, causing request failures. It's recommended to implement a retry strategy based on error code [20016].
# Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| appId | String | Yes | App ID of the self-built application |
| appSecret | String | Yes | App secret of the self-built application |
| permanentCode | String | Yes | Permanent authorization code |
| grantType | String | Yes | Grant type, fixed value: app_secret |
# Request Example
{
"appId": "FSAID_xxxxx",
"permanentCode": "3F9xxxxxCA5",
"appSecret": "e4d0xxxxxdff",
"grantType": "app_secret"
}
# Response Parameters
| Parameter | Required | Description |
|---|---|---|
| openUserId | Yes | User's openUserId |
| accessToken | Yes | Authorization token, valid for 2 hours |
| expiresIn | Yes | Expiration time |
| appId | Yes | App ID of the self-built application |
| ea | Yes | Enterprise account |
# Response Example
{
"openUserId": "FSCID_xxxxxxx",
"accessToken": "BCxxxxxDF2",
"expiresIn": 7084,
"appId": "FSAID_xxxxx",
"ea": "fxxxx1",
"errorCode": 0,
"errorMessage": "success",
"traceId": "E-O.fxxxxx6b"
}