Kanshin Docs / Machine-to-Machine Access

Machine-to-Machine Access

Not every sign-in involves a person. A backend service, a scheduled job, or a script often needs to call an API as itself, with no user in the loop. Kanshin supports this with the client-credentials flow, in which an application authenticates as itself and receives an access token.

When to use it

Use machine-to-machine access when there is no human to sign in — for example:

  • A backend service that calls another service’s API
  • A nightly job that syncs data
  • A command-line tool that automates an administrative task

For anything a person signs in to, use the ordinary sign-in flow instead; client credentials are only for software acting on its own behalf.

Setting it up

Machine-to-machine access uses an application configured for it:

  1. Register an application as usual (see Applications ).
  2. Give it the client credentials grant type.
  3. Because there is no user and the application must keep a secret, register it as a confidential application and note its client secret (shown once).
  4. Register the scopes the application is allowed to request.

Getting a token

At runtime, the service presents its client ID and client secret to Kanshin’s token endpoint and asks for an access token, naming the scopes it needs. Kanshin verifies the credentials and returns a signed access token, which the service then presents to the APIs it calls. There is no redirect and no user prompt — just the application proving who it is.

Keep the client secret protected, and use secret rotation if it may have been exposed. Because a machine identity is just an application, the same protections apply — repeated failed authentication locks the application out temporarily.