Skip to main content

Client credentials grant

ClientCredentials and traits AccessTokenProvider and TokenIntrospection expose methods that:

  • Obtain token via requestToken
  • introspect the token for its details like UserInfo
import org.polyvariant.sttp.oauth2.json.circe.instances._ // Or your favorite JSON implementation
val accessTokenProvider = AccessTokenProvider[IO](tokenUrl, clientId, clientSecret)(backend)
val tokenIntrospection = TokenIntrospection[IO](tokenIntrospectionUrl, clientId, clientSecret)(backend)
val scope: Option[Scope] = Some("scope")
for {
token <- accessTokenProvider.requestToken(scope) // ask for token
response <- tokenIntrospection.introspect(token.accessToken) // check if token is valid
} yield // is the token active?


Caching modules provide cached AccessTokenProvider, which can:

  • reuse the token multiple times using a cache (default cache implementation may be overridden using appropriate constructor functions)
  • fetch a new token if the previous one expires
module nameclass nameprovided cache implementationsemaphorenotes
sttp-oauth2-cache-catsCachingAccessTokenProvidercats-effect3's Refcats-effect2's Semaphore
sttp-oauth2-cache-ce2CachingAccessTokenProvidercats-effect2's Refcats-effect2's Semaphore
sttp-oauth2-cache-zioCachingAccessTokenProviderzio's Refzio's Semaphore
sttp-oauth2-cache-futureFutureCachingAccessTokenProvidermonix-execution's AtomicAnymonix-execution's AsyncSemaphoreIt only uses submodule of whole monix project

Cats example#

val delegate = AccessTokenProvider[IO](tokenUrl, clientId, clientSecret)(backend)

sttp-oauth2 backends#

SttpOauth2ClientCredentialsBackend is a SttpBackend which sends auth bearer headers for every http call performed with it using provided AccessTokenProvider.

val scope: Option[Scope] = Some("scope") // backend will use defined scope for all requests
val backend: SttpBackend[IO, Any] = SttpOauth2ClientCredentialsBackend[IO, Any](tokenUrl, clientId, clientSecret)(scope)(delegateBackend)
backend.send(request) // this will add header: Authorization: Bearer {token}

In order to cache tokens, use one of the AccessTokenProviders described in Caching section.