WORKLOAD Users (read more about User management here) can use the standard OAuth2 client credentials authentication flow (read more here) to authenticate themselves to the Cluster and start accessing its publicly exposed HTTP-based Services (read more about publicly exposed BeyondCorp Services here), such as HTTP/gRPC-based APIs or Kubernetes clusters, exactly like any protected public SaaS HTTP-based resource without having to install clients on their hosts, use special SDKs or even having to even be aware of the Cluster's existence at all. This allows you to write applications in any programming language and use standard OAuth2 libraries to securely access all the Cluster publicly exposed Services via a single identity and credential.

It simply works as follows:

1. Obtain an OAuth2 client credential Credential. You can read more here.

2. Authenticate using the client credential from inside your application to the OAuth2 token endpoint which is located at the URL https://<DOMAIN>/oauth2/token. In shell and curl this can be simply done as follows:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' 'https://<DOMAIN>/oauth2/token'

3. Now you can use the obtained access token as a standard bearer token (i.e. via the Authorization: Bearer <ACCESS_TOKEN> HTTP header) to access the publicly exposed Services (read more about BeyondCorp and publicly exposed Services here).

There are standard libraries in almost all the major programming languages to use the OAuth2 client credentials flow and obtain the access token. Some examples are:

• Rust
• Golang
• Python
• Node.js