Get Access Tokens

To access your API, you must request an access token when authenticating a user.

To request an access token, make a POST call to the token URL.

Example POST to token URL

curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data audience=YOUR_API_IDENTIFIER

var client = new RestClient("https://{yourDomain}/oauth/token");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("application/x-www-form-urlencoded", "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&audience=YOUR_API_IDENTIFIER", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

package main

import (

func main() {

	url := "https://{yourDomain}/oauth/token"

	payload := strings.NewReader("grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&audience=YOUR_API_IDENTIFIER")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/x-www-form-urlencoded")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)



HttpResponse<String> response ="https://{yourDomain}/oauth/token")
  .header("content-type", "application/x-www-form-urlencoded")

var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://{yourDomain}/oauth/token',
  headers: {'content-type': 'application/x-www-form-urlencoded'},
  data: new URLSearchParams({
    grant_type: 'client_credentials',
    client_id: 'YOUR_CLIENT_ID',
    client_secret: 'YOUR_CLIENT_SECRET',
    audience: 'YOUR_API_IDENTIFIER'

axios.request(options).then(function (response) {
}).catch(function (error) {

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/x-www-form-urlencoded" };

NSMutableData *postData = [[NSMutableData alloc] initWithData:[@"grant_type=client_credentials" dataUsingEncoding:NSUTF8StringEncoding]];
[postData appendData:[@"&client_id=YOUR_CLIENT_ID" dataUsingEncoding:NSUTF8StringEncoding]];
[postData appendData:[@"&client_secret=YOUR_CLIENT_SECRET" dataUsingEncoding:NSUTF8StringEncoding]];
[postData appendData:[@"&audience=YOUR_API_IDENTIFIER" dataUsingEncoding:NSUTF8StringEncoding]];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/oauth/token"]
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://{yourDomain}/oauth/token",
  CURLOPT_POSTFIELDS => "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&audience=YOUR_API_IDENTIFIER",
    "content-type: application/x-www-form-urlencoded"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;

import http.client

conn = http.client.HTTPSConnection("")

payload = "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&audience=YOUR_API_IDENTIFIER"

headers = { 'content-type': "application/x-www-form-urlencoded" }

conn.request("POST", "/{yourDomain}/oauth/token", payload, headers)

res = conn.getresponse()
data =


require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://{yourDomain}/oauth/token")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["content-type"] = 'application/x-www-form-urlencoded'
request.body = "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&audience=YOUR_API_IDENTIFIER"

response = http.request(request)
puts response.read_body

import Foundation

let headers = ["content-type": "application/x-www-form-urlencoded"]

let postData = NSMutableData(data: "grant_type=client_credentials".data(using: String.Encoding.utf8)!)
postData.append("&client_id=YOUR_CLIENT_ID".data(using: String.Encoding.utf8)!)
postData.append("&client_secret=YOUR_CLIENT_SECRET".data(using: String.Encoding.utf8)!)
postData.append("&audience=YOUR_API_IDENTIFIER".data(using: String.Encoding.utf8)!)

let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/oauth/token")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? HTTPURLResponse


Parameter Name Description
grant_type Set this to "client_credentials".
client_id Your application's Client ID. You can find this value on the application's settings tab.
client_secret Your application's Client Secret. You can find this value on the application's settings tab. To learn more about available application authentication methods, read Application Credentials.
audience The audience for the token, which is your API. You can find this in the Identifier field on your API's settings tab.
organization Optional. The organization name or identifier you want the request to be associated with. To learn more, read Machine-to-Machine Access for Organizations.


You receive an HTTP 200 response with a payload containing access_token, token_type, and expires_in values:


Control access token audience

When a user authenticates, you request an access token and include the target audience and scope of access in your request. The application uses the /authorize endpoint to request access. This access is both requested by the application and granted by the user during authentication

You can configure your tenant to always include a default audience.

Token Use Format Requested Audience Requested Scope
/userinfo endpoint Opaque tenant name ({yourDomain}), no value for audience parameter, no audience parameter passed openid
Auth0 Management API JWT Auth0 Management API v2 identifier (https://{tenant}
Your own custom API JWT The API Identifier for your custom API registered in the Auth0 Dashboard

In only one specific instance, access tokens can have multiple target audiences. This requires that your custom API's signing algorithm is set to RS256. To learn more, read Token Best Practices.

Multiple audiences

If you specify an audience of your custom API identifier and a scope of openid, then the resulting access token's aud claim will be an array rather than a string, and the access token will be valid for both your custom API and for the /userinfo endpoint. Your access tokens can only have two or more audiences if you use a single custom API as well as Auth0's /userinfo endpoint.

Custom domains and the Auth0 Management API

Auth0 issues tokens with an issuer (iss) claim of whichever domain you used when requesting the token. Custom domain users can use either their custom domain or their Auth0 domain.

For example, suppose you have a custom domain, If you request an access token from, your token's iss claim will be However, if you request an access token from, your token's iss claim will be

If you request an access token from your custom domain with the target audience of the Auth0 Management API, then you must call the Auth0 Management API from your custom domain. Otherwise your access token is considered invalid.

Renew access tokens

By default, an access token for a custom API is valid for 86400 seconds (24 hours). You can shorten the time period before the token expires.

After an access token has expired, you can renew your access token. To do so either re-authenticate the user using Auth0 or use a refresh token.

Learn more