Machine-to-Machine Access
Not every sign-in involves a person. A backend service, a scheduled job, or a script often needs to call an API as itself, with no user in the loop. Kanshin supports this with the client-credentials flow, in which an application authenticates as itself and receives an access token.
When to use it
Use machine-to-machine access when there is no human to sign in — for example:
- A backend service that calls another service’s API
- A nightly job that syncs data
- A command-line tool that automates an administrative task
For anything a person signs in to, use the ordinary sign-in flow instead; client credentials are only for software acting on its own behalf.
Setting it up
Machine-to-machine access uses an application configured for it:
- Register an application as usual (see Applications ).
- Give it the client credentials grant type.
- Because there is no user and the application must keep a secret, register it as a confidential application and note its client secret (shown once).
- Register the scopes the application is allowed to request.
Getting a token
At runtime, the service presents its client ID and client secret to Kanshin’s token endpoint and asks for an access token, naming the scopes it needs. Kanshin verifies the credentials and returns a signed access token, which the service then presents to the APIs it calls. There is no redirect and no user prompt — just the application proving who it is.
Keep the client secret protected, and use secret rotation if it may have been exposed. Because a machine identity is just an application, the same protections apply — repeated failed authentication locks the application out temporarily.
Related pages
- Applications — registering the application and its secret
- Single Sign-On — the flow for when a person signs in
- Sessions, Audit & Security — token lifetimes and security