Is API Access Management feature required for client_credentials flow?

I want to use the client_credentials flow to obtain a server side access token that can be used for fetching the user profiles of all users in the Okta instance.

I created an OAuth Service app, granted the okta.users.read scope for the app and then tried to use the client credentials flow:
curl --request POST --url https://.okta.com/oauth2/default/v1/token --header ‘accept: application/json’ --header ‘Authorization: Basic …’ --header ‘cache-control: no-cache’ --header ‘content-type: application/x-www-form-urlencoded’ --data ‘grant_type=client_credentials&scope=okta.users.read’ -v

This returns an error response:
{“error”:“access_denied”,“error_description”:“The requested feature is not enabled in this environment.”}

Why does this error occur? Does the “API Access Management” feature need to be enabled in order to use the client credentials flow?

API access management is not required as you do not need to use a custom authorization server

the POST request needs to be done on oauth2/v1/token and not /oauth2/default/v1/token, which is a custom authorization server’s token endpoint

Note that if you are doing a client credentials flow with the Org Authorization Server your application will need to be a public/private key app. You will not be able to use basic auth with a client secret. Instructions for setting this up can be found here.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.