client_credentials issue

1) My company is switching to a new authorisation server selected server is Zitadel
2) Self hosting
3) 4.4.0
4) Nothing fancy java spring boot 3.3.0 Docker latest (4.48.0) postman if that is even important here
5-6) Ok so i'm trying to create a client_credentials connection, i set my spring to a certain client screenshot 1, and i'm trying to access the general dummy method public one works flawlessly secure one? not so much.
i set all the right credentials right links and It works, i get the token use it as a bearer, yet nothing happens, when i try to send a request i get redirected to the login form even tho i have a bearer token. But the bigger offender is when i swap grant type from authorisation code to the client credentials and yes i hear you i added an app within zitadel that has type API and sent it's credentials (both as basic with grant type cllient_credentials and as client_credentials neither worked) and it just s says in docker:
time=2025-10-29T12:07:32.575Z level=WARN msg="request error" oidc_error.parent="ID=QUERY-Dfbg2 Message=Errors.User.NotFound Parent=(sql: no rows in result set)" oidc_error.description="client not found" oidc_error.type=invalid_client status_code=400

and in postman

Error: invalid_client, Description: client not found

help me plz. i need it to work as client_cedentials or password credentials. no login form machine to machine. THX in advance

Ask Inkeep•10/29/25, 12:09 PM

Hi @hamatamna, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/29/25, 12:09 PM

Answer

Based on the error you're seeing, there's a common misunderstanding about how API applications work in ZITADEL for the client_credentials grant (1) .

The Issue:
API applications in ZITADEL cannot directly obtain tokens using their Client ID and Client Secret with the client_credentials grant . The error "client not found" occurs because ZITADEL is looking for a user context, which doesn't exist for API applications .

The Solution:
For machine-to-machine authentication without a login form, you need to create a Machine User (also called a Service User) , not an API application .

Here's what you need to do:

Create a Machine User in ZITADEL Console instead of (or in addition to) your API application
Generate credentials for the Machine User (either a client secret or use JWT profile) (2)
Use the Machine User's credentials with the client_credentials grant

For the token request, use this format :

curl --request POST \
  --url ${CUSTOM_DOMAIN}/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic ${BASIC_AUTH}' \
  --data grant_type=client_credentials \
  --data scope=openid profile

curl --request POST \
  --url ${CUSTOM_DOMAIN}/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic ${BASIC_AUTH}' \
  --data grant_type=client_credentials \
  --data scope=openid profile

Ask Inkeep•10/29/25, 12:09 PM

The ${BASIC_AUTH}${BASIC_AUTH} should be your Machine User's client_id and client_secret encoded as Basic Auth .

Why API Applications Don't Work:
API applications' credentials are intended for authenticating the API application itself to ZITADEL for operations like token introspection, not for directly generating tokens (1) . Tokens in ZITADEL are issued in the context of a user - either a human user (via interactive login flows) or a machine user (via client_credentials) .

Once you switch to using a Machine User instead of the API application credentials, your client_credentials flow should work correctly.

Ask Inkeep•10/29/25, 12:10 PM

To learn more, see the sources I considered:

[1] API application client_credential error
[2] OpenID Connect Endpoints in ZITADEL

Ask Inkeep•10/29/25, 12:10 PM

Feel free to tag @Ask Inkeep with additional questions.