Get Access-Token using Client-Credentials

To retrieve an access token using Client-Credentials, the customer must have given their consent for its use. This is done by running through the authorization flow described here . Note! You have to use account_type=service for the consent to be created.

Since we will require tenantId as a parameter in the request for the access token, this is data you need to save on your side in some form. There are different ways that you can retrieve the tenantId upon a new activation and for existing customers.

• (Recommended) We publish two new events via webhook, one for consent created and one for consent revoked. You can therefore get information about the tenantId that way when a customer activates and a consent is created for a service account. This allows you to directly get new access tokens via client-credentials + tenantId as described above, and not have to worry about the refresh token or auth code.

• The activation flow for the customer looks exactly as it did before for a service account. The customer's sysadmin has to approve scopes in our OAuth portal, and then we do a redirect to you that includes the auth code and state. You can then choose to exchange the auth code for an access token and a refresh token and retrieve customer information (including tenantId) via /3/companyinformation or /3/settings/company (the DatabaseNumber field), just as you do today. The requirement is that you include the companyinformation scope to be able to do this. After that, you can directly get new access tokens via client-credentials + tenantId as described above and not have to worry about the refresh token.

• For existing customers, the tenantId is already included in the JWT as a claim.