Great job! We’ve implemented the Client Credentials OAuth 2.0 flow in our application! The handling of access tokens is done with HTTP requests. We can make an HTTP POST request to the /auth route to obtain an access token.

POST http://localhost:4001/auth Content-Type: application/x-www-form-urlencoded Authorization: Basic Y29kZWNhZGVteTpjb2RlY0BkZW15 grant_type=client_credentials

In the HTTP header, we set Authorization to Basic and the base64 encoded Client ID and Client Secret. In the POST request data, we provide grant_type=client_credentials. The server will respond with an access token that looks like this:

{ "accessToken":" "<access token>", "accessTokenExpiresAt":"2021-06-17T01:02:37.272Z", "client": { "id": "codecademy"}, "user":{} } }

To use the access token while requesting authenticated content, we pass the bearer token in the Authentication request header, replacing <Access Token> with the token returned from the request to /auth like so:

GET http://localhost:4001/secret Authorization: Bearer <Access Token>



Start the server by running node app.js in the terminal.


Open up a new terminal tab.

Then, send the following HTTP request to http://localhost:4001/auth to obtain an access token using cURL:

curl --request POST \ --url http://localhost:4001/auth \ --header 'authorization: Basic Y29kZWNhZGVteTpjb2RlY0BkZW15' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials

Send the following cURL command to http://localhost:4001/secret and replacing <ACCESS_TOKEN> with the token returned in the previous cURL.

curl --request GET \ --url http://localhost:4001/secret \ --header 'authorization: Bearer <ACCESS_TOKEN>'

Try requesting the /secret route without the access token by running:

curl localhost:4001/secret

Take this course for free

Mini Info Outline Icon
By signing up for Codecademy, you agree to Codecademy's Terms of Service & Privacy Policy.

Or sign up using:

Already have an account?