400 Bad request for generating a token in postman

Hi All,

I’m very new to Okta and Postman and I’ve been reading docs for a day and a half.
I’ve been trying to follow theses docs and read the topics that come up while creating this post. None of it seemed to help.


I copied the data I needed from my app into postman so I know it’s right. My app is also active.

I also saw this info with the 400 error message

Identity Provider: Unknown

Error Code: invalid_request

Description: Clients with ‘application_type’ of ‘service’ are not allowed to access the ‘authorize’ endpoint.

So how do I fix this 400 error when generating a key in a postman?

Sounds like you’re trying to make an /authorize call with a service app, but, if you want to get tokens for a service app, you should be hitting the /token endpoint only. The authorize endpoint would only be made in OpenID user authentication flow, which isn’t needed for service apps completing Client Credentials flow, which is a machine-to-machine flow

Details of the client credentials flow (used by service apps) found here: Implement authorization by grant type | Okta Developer

I’m a bit confused. I’ve read that article before and again today but didn’t understand what it was saying or where to go to do so.
It mentions basic auth and this curl code but I don’t know where I’m supposed to input it, let alone what information my app is supposed to use. " ‘authorization: Basic MG9hY…’ " doesn’t look complete and I don’t know where to find the code for my app.

This is the part of the doc I’m referring to
Base64 encode the client ID and secret and then pass through Basic Authentication (opens new window)in the request to your Custom Authorization Server’s /token endpoint:
curl --request POST
–url https://${yourOktaDomain}/oauth2/default/v1/token
–header ‘accept: application/json’
–header ‘authorization: Basic MG9hY…’
–header ‘cache-control: no-cache’
–header ‘content-type: application/x-www-form-urlencoded’
–data ‘grant_type=client_credentials&scope=customScope’
It mentions using basic auth, which hasn’t worked yet either.

Also for the encoding section where do I use this new encoded client id/secret? is it one of the fields in the curl request or somewhere in postman?

The document also doesn’t mention how to do this in postman which is what I’ve been told I’m required to use to get the token.

In postman, you can configure the basic auth on the Authorization tab, providing the client ID as the username and the client secret as the password