Client Credentials Authentication API Documentation
Overview
This API implements the OAuth 2.0 Client Credentials flow for machine-to-machine authentication. Used by trusted backend services to obtain access tokens without user context.
API Endpoint
- URL:
https://id-stag.tripdata.vn/connect/token - Method:
POST - Content-Type:
application/x-www-form-urlencoded
Request Parameters
| Parameter | Required | Description |
|---|---|---|
grant_type |
✅ Yes | Must be client_credentials |
client_id |
✅ Yes | Client application identifier |
client_secret |
✅ Yes | Client secret credential |
scope |
❌ No | Space-separated list of permissions |
Sample Request
curl --location 'https://id-stag.tripdata.vn/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'client_secret=YOUR_SECRET'
Sample Response
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtp....",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "client-data config-data hub-data tenant-data user-data"
}
Response Field Description
| Field | Type | Description |
|---|---|---|
access_token |
String | Bearer token for service-to-service API calls |
expires_in |
Number | Token validity in seconds (3600s = 1 hour) |
token_type |
String | Token type (always Bearer) |
scope |
String | Granted permissions (space-separated) |
Scopes Reference
| Scope | Description |
|---|---|
client-data |
Access client registry data |
config-data |
Read system configuration |
hub-data |
Access TripData Hub services |
tenant-data |
Manage tenant-specific resources |
user-data |
Access user management APIs |
Security Notes
Client Secret Confidentiality
Never expose client secrets in client-side code or public repositoriesToken Lifetime
Tokens automatically expire after 1 hour - implement token rotationScope Limitation
Request only necessary permissions using thescopeparameterIP Whitelisting
Recommended to restrict client credentials usage to known server IPsAudit Logging
Monitor all client credential grants for suspicious activity
Usage Example
POST /api/tenant/configuration HTTP/1.1
Host: api-dev.tripdata.vn
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtp....
Content-Type: application/json
{
"configKey": "SYSTEM_TIMEOUT",
"value": "30000"
}
Important: This authentication method should only be used by confidential clients with secure secret storage. Never use in browser/mobile apps.