Why is "Client Credentials" listed as a grant type for OIDC apps?

jenip · March 28, 2026, 12:03am

For OIDC - OpenID Connect apps, the following grant types are listed by Default:

I enabled the Client Credentials grant type. However, when attempting to request a token via the /oauth2/v1/token endpoint with –-data grant_type=client_credentials, I get the following error ;

{
  "error": "invalid_client",
  "error_description": "Only clients with 'application_type' of 'service' may use the client_credentials 'grant_type' with the Org Authorization Server."
}

Thus, why is “Client Credentials” displayed as a grant type in the UI if it cannot be used for OIDC apps ?

For reference, the full request is

curl --request POST \
  --url https://DOMAIN_NAME.okta.com/oauth2/v1/token \
  --header 'accept: application/json' \
  --header 'authorization: Basic BASE64_TOKEN' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data scope=okta.users.read

vasilis.caraman · March 28, 2026, 10:59pm

Hello Jenip,

Short answer:

Client Credentials appears in the UI, but it isn’t supported for OIDC apps when using the Org Authorization Server. That flow is intended to be used with a Custom Authorization Server

Long answer:

The error occurs because the token request is being sent to the Org Authorization Server (<your-okta-domain>/oauth2/v1/token). With the Org Authorization Server, the client_credentials grant type is only supported for clients with an application_type of service.

Although the Client Credentials grant type appears in the OIDC application settings in the UI, it can’t be used with the Org Authorization Server for standard OIDC applications.

If you’re looking to implement machine-to-machine (M2M) or microservices authorization using the client_credentials flow, this is supported through Custom Authorization Servers, which are available with the API Access Management feature.

If your org has API AM enabled, you can:

• Use the default Custom Authorization Server (<your-okta-domain>/oauth2/default)
• Or create your own Custom Authorization Server (<your-okta-domain>/oauth2/<custom-authzserver-id>)
• You can create your own Custom Authorization Server by accessing Security > API, then Adding Authorization Servers (Please note that the default Authorization Server is a Custom Authorization Server)

You would then request the token from that server instead of the Org Authorization Server (for example: /oauth2/default/v1/token).

You can find more details about the differences and capabilities of Okta Authorization Servers here:
Authorization servers | Okta Developer (the capabilities comparison table is at the bottom of the page).

jenip · March 29, 2026, 8:10pm

Hi Vasilis,

Thank you for your thorough answer. I confirm that I was able to obtain an access token for my OIDC app via the client credentials grant with a Custom Authorization Server scope.

Hopefully, the official docs are updated with the fact that custom credentials are not supported for OIDC apps when using a Org Authorization Server.

system · March 30, 2026, 8:11pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
OIDC - support for client credentials grant type! Questions	6	4634	November 11, 2020
OIDC - grant_types_supported OAuth/OIDC	6	5378	October 8, 2020
Application allowed grant types: Client Credentials Questions	4	6994	August 14, 2019
Unauthorized client error using /token and grant_type of client_credentials OAuth/OIDC	4	5284	November 30, 2022
Client_credentials with application_type as web Questions	2	8187	May 18, 2020

Why is "Client Credentials" listed as a grant type for OIDC apps?

Short answer:

Long answer:

Related topics