OAuth2 Client Credentials Flow for Workload Users

WORKLOAD Users (read more about User management here) can use the standard OAuth2 client credentials authentication flow (read more here) to authenticate themselves to the Cluster and start accessing its publicly exposed HTTP-based Services (read more about publicly exposed BeyondCorp Services here), such as HTTP/gRPC-based APIs or Kubernetes clusters, exactly like any protected public SaaS HTTP-based resource without having to install clients on their hosts, use special SDKs or even having to even be aware of the Cluster's existence at all. This allows you to write applications in any programming language and use standard OAuth2 libraries to securely access all the Cluster publicly exposed Services via a single identity and credential.

NOTE

Additionally to using the OAuth2 client credentials flow Credential, you can also generate an access token Credential and use it directly as a bearer token to access publicly exposed Services. Read more here.

It simply works as follows:

  1. Obtain an OAuth2 client credential Credential as follows:
octeliumctl create cred --user root --type oauth2 my-oauth-cred
# Here is the command output
Client ID: nz7y-hagw
Client Secret: AQpA691Z...
NOTE

You can read more here.

Now you can use the client credentials, for example, within your application to authenticate to the Cluster's OAuth2 token endpoint which is located at the URL https://<DOMAIN>/oauth2/token. For example, let's assume we want to access the Service my-api and obtain the access token which can then be used to access your Services via the standard bearer authentication (i.e. via the HTTP request header Authorization: Bearer <ACCESS_TOKEN>).

In shell and curl this can be simply done as follows:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' 'https://<DOMAIN>/oauth2/token'
# Now we use the obtained access token from the above request to access the Service
curl -H "Authorization: Bearer <ACCESS_TOKEN>" https://my-api.<DOMAIN>

Here is an equivalent example in Golang:

1
package main
2
3
import (
4
"context"
5
"fmt"
6
"io"
7
8
"golang.org/x/oauth2/clientcredentials"
9
)
10
11
func main() {
12
if err := doMain(context.Background()); err != nil {
13
panic(err)
14
}
15
}
16
17
func doMain(ctx context.Context) error {
18
19
// Your Cluster domain
20
domain := "example.com"
21
// Configuration for the client credentials flow
22
config := clientcredentials.Config{
23
ClientID: "y56y-9ru3",
24
ClientSecret: "AQpAt200_CHp2S9G...",
25
TokenURL: fmt.Sprintf("https://%s/oauth2/token", domain),
26
}
27
28
// Now we obtain an access token from our OAuth2 client credentials
29
_, err := config.Token(ctx)
30
if err != nil {
31
return err
32
}
33
34
// Now we access our Service "my-api"
35
client := config.Client(ctx)
36
resp, err := client.Get(fmt.Sprintf("https://my-api.%s", domain))
37
if err != nil {
38
return err
39
}
40
defer resp.Body.Close()
41
42
bodyBytes, err := io.ReadAll(resp.Body)
43
if err != nil {
44
return err
45
}
46
47
fmt.Printf("Response: %s\n", string(bodyBytes))
48
49
return nil
50
}

And here is an equivalent example in Typescript:

1
import axios from "axios";
2
import { URLSearchParams } from "url";
3
4
const clientId = "y56y-9ru3";
5
const clientSecret = "AQpAyteKC0UPDI1U...";
6
const domain = "<DOMAIN>";
7
8
const getToken = async (): Promise<string> => {
9
try {
10
const params = new URLSearchParams();
11
params.append("grant_type", "client_credentials");
12
params.append("client_id", clientId);
13
params.append("client_secret", clientSecret);
14
15
const response = await axios.post(
16
`https://${domain}/oauth2/token`,
17
params,
18
{
19
headers: {
20
"Content-Type": "application/x-www-form-urlencoded",
21
},
22
}
23
);
24
25
return response.data.access_token;
26
} catch (error) {
27
console.error("Error fetching access token:", error);
28
throw error;
29
}
30
};
31
32
const accessProtectedResource = async (token: string) => {
33
try {
34
const response = await axios.get(`https://my-api.${domain}`, {
35
headers: {
36
Authorization: `Bearer ${token}`,
37
},
38
});
39
console.log(response)
40
} catch (error) {
41
throw error;
42
}
43
};
44
45
const main = async () => {
46
const accessToken = await getToken();
47
await accessProtectedResource(accessToken);
48
};
49
50
main();
51
NOTE

You can additionally add Octelium scopes as OAuth2 scopes. Read more about scopes here.

There are standard libraries in almost all the major programming languages to use the OAuth2 client credentials flow and obtain the access token. Some examples are:

NOTE

You can also use the issued access token in the X-Octelium-Auth: <ACCESS_TOKEN> header instead of using it in the typical Authorization: Bearer <ACCESS_TOKEN> header.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld