hamatamna
hamatamna17h ago

client_credentials issue

1) My company is switching to a new authorisation server selected server is Zitadel 2) Self hosting 3) 4.4.0 4) Nothing fancy java spring boot 3.3.0 Docker latest (4.48.0) postman if that is even important here 5-6) Ok so i'm trying to create a client_credentials connection, i set my spring to a certain client screenshot 1, and i'm trying to access the general dummy method public one works flawlessly secure one? not so much. i set all the right credentials right links and It works, i get the token use it as a bearer, yet nothing happens, when i try to send a request i get redirected to the login form even tho i have a bearer token. But the bigger offender is when i swap grant type from authorisation code to the client credentials and yes i hear you i added an app within zitadel that has type API and sent it's credentials (both as basic with grant type cllient_credentials and as client_credentials neither worked) and it just s says in docker: time=2025-10-29T12:07:32.575Z level=WARN msg="request error" oidc_error.parent="ID=QUERY-Dfbg2 Message=Errors.User.NotFound Parent=(sql: no rows in result set)" oidc_error.description="client not found" oidc_error.type=invalid_client status_code=400 and in postman Error: invalid_client, Description: client not found help me plz. i need it to work as client_cedentials or password credentials. no login form machine to machine. THX in advance
No description
No description
No description
1 Reply
Ask Inkeep
Ask Inkeep17h ago
Hi @hamatamna, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer Based on the error you're seeing, there's a common misunderstanding about how API applications work in ZITADEL for the client_credentials grant (1) . The Issue: API applications in ZITADEL cannot directly obtain tokens using their Client ID and Client Secret with the client_credentials grant . The error "client not found" occurs because ZITADEL is looking for a user context, which doesn't exist for API applications . The Solution: For machine-to-machine authentication without a login form, you need to create a Machine User (also called a Service User) , not an API application . Here's what you need to do: 1. Create a Machine User in ZITADEL Console instead of (or in addition to) your API application 2. Generate credentials for the Machine User (either a client secret or use JWT profile) (2) 3. Use the Machine User's credentials with the client_credentials grant For the token request, use this format : 
curl --request POST \
  --url ${CUSTOM_DOMAIN}/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic ${BASIC_AUTH}' \
  --data grant_type=client_credentials \
  --data scope=openid profile
curl --request POST \
  --url ${CUSTOM_DOMAIN}/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic ${BASIC_AUTH}' \
  --data grant_type=client_credentials \
  --data scope=openid profile
The ${BASIC_AUTH} should be your Machine User's client_id and client_secret encoded as Basic Auth . Why API Applications Don't Work: API applications' credentials are intended for authenticating the API application itself to ZITADEL for operations like token introspection, not for directly generating tokens (1) . Tokens in ZITADEL are issued in the context of a user - either a human user (via interactive login flows) or a machine user (via client_credentials) . Once you switch to using a Machine User instead of the API application credentials, your client_credentials flow should work correctly. ​ To learn more, see the sources I considered: [1] API application client_credential error [2] OpenID Connect Endpoints in ZITADEL ​ Feel free to tag @Ask Inkeep with additional questions.

Did you find this page helpful?