Password auth for machine-to-machine application

I’ve created a web API that I’d like people to gain access to by using the password grant. I have a machine-to-machine application and a couple users set up in my dashboard. Everything works fine. I can get a JWT token using a client like Insomnia or Postman.

The only issue I have is that the request requires the client secret for my application. This means that my users won’t be able to request tokens because I can’t (shouldn’t) share the secret.

Looking on the OAuth 2.0 site, it states that the client secret is required if one was issued.

Is there a way to not require the secret be provided? Alternatively, is there a way to create an application that isn’t issued a secret (i.e. client credentials grant would never work)?

Found it here under the explanation for client_secret: Set Token Endpoint Authentication Method to None.

1 Like

Glad you have it working and thanks for sharing the solution with the rest of community!