Octelium Logo
Documentation
OAuth2 Client Credentials Flow for Workload Users

WORKLOAD Users (read more about User management here) can use the standard OAuth2 client credentials authentication flow (read more here) to authenticate themselves to the Cluster and start accessing its publicly exposed HTTP-based Services (read more about publicly exposed BeyondCorp Services here), such as HTTP/gRPC-based APIs or Kubernetes clusters, exactly like any protected public SaaS HTTP-based resource without having to install clients on their hosts, use special SDKs or even having to even be aware of the Cluster's existence at all. This allows you to write applications in any programming language and use standard OAuth2 libraries to securely access all the Cluster publicly exposed Services via a single identity and credential.

NOTE

Additionally to using the OAuth2 client credentials flow Credential, you can also generate an access token Credential and use it directly as a bearer token to access publicly exposed Services. Read more here.

It simply works as follows:

  1. Obtain an OAuth2 client credential Credential as follows:
octeliumctl create cred --user root --type oauth2 my-oauth-cred



# Here is the command output

Client ID: nz7y-hagw

Client Secret: AQpA691Z...
NOTE

You can read more here.

Now you can use the client credentials, for example, within your application to authenticate to the Cluster's OAuth2 token endpoint which is located at the URL https://<DOMAIN>/oauth2/token. For example, let's assume we want to access the Service my-api and obtain the access token which can then be used to access your Services via the standard bearer authentication (i.e. via the HTTP request header Authorization: Bearer <ACCESS_TOKEN>).

In shell and curl this can be simply done as follows:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' 'https://<DOMAIN>/oauth2/token'



# Now we use the obtained access token from the above request to access the Service

curl -H "Authorization: Bearer <ACCESS_TOKEN>" https://my-api.<DOMAIN>

Here is an equivalent example in Golang:

1
package main

2


3
import (

4
	"context"

5
	"fmt"

6
	"io"

7


8
	"golang.org/x/oauth2/clientcredentials"

9
)

10


11
func main() {

12
	if err := doMain(context.Background()); err != nil {

13
		panic(err)

14
	}

15
}

16


17
func doMain(ctx context.Context) error {

18


19
	// Your Cluster domain

20
	domain := "example.com"

21
	// Configuration for the client credentials flow

22
	config := clientcredentials.Config{

23
		ClientID:     "y56y-9ru3",

24
		ClientSecret: "AQpAt200_CHp2S9G...",

25
		TokenURL:     fmt.Sprintf("https://%s/oauth2/token", domain),

26
	}

27


28
	// Now we obtain an access token from our OAuth2 client credentials

29
	_, err := config.Token(ctx)

30
	if err != nil {

31
		return err

32
	}

33


34
	// Now we access our Service "my-api"

35
	client := config.Client(ctx)

36
	resp, err := client.Get(fmt.Sprintf("https://my-api.%s", domain))

37
	if err != nil {

38
		return err

39
	}

40
	defer resp.Body.Close()

41


42
	bodyBytes, err := io.ReadAll(resp.Body)

43
	if err != nil {

44
		return err

45
	}

46


47
	fmt.Printf("Response: %s\n", string(bodyBytes))

48


49
	return nil

50
}

And here is an equivalent example in Typescript:

1
import axios from "axios";

2
import { URLSearchParams } from "url";

3


4
const clientId = "y56y-9ru3";

5
const clientSecret = "AQpAyteKC0UPDI1U...";

6
const domain = "<DOMAIN>";

7


8
const getToken = async (): Promise<string> => {

9
  try {

10
    const params = new URLSearchParams();

11
    params.append("grant_type", "client_credentials");

12
    params.append("client_id", clientId);

13
    params.append("client_secret", clientSecret);

14


15
    const response = await axios.post(

16
      `https://${domain}/oauth2/token`,

17
      params,

18
      {

19
        headers: {

20
          "Content-Type": "application/x-www-form-urlencoded",

21
        },

22
      }

23
    );

24


25
    return response.data.access_token;

26
  } catch (error) {

27
    console.error("Error fetching access token:", error);

28
    throw error;

29
  }

30
};

31


32
const accessProtectedResource = async (token: string) => {

33
  try {

34
    const response = await axios.get(`https://my-api.${domain}`, {

35
      headers: {

36
        Authorization: `Bearer ${token}`,

37
      },

38
    });

39
    console.log(response)

40
  } catch (error) {

41
    throw error;

42
  }

43
};

44


45
const main = async () => {

46
  const accessToken = await getToken();

47
  await accessProtectedResource(accessToken);

48
};

49


50
main();

51
NOTE

You can additionally add Octelium scopes as OAuth2 scopes. Read more about scopes here.

There are standard libraries in almost all the major programming languages to use the OAuth2 client credentials flow and obtain the access token. Some examples are:

NOTE

You can also use the issued access token in the X-Octelium-Auth: <ACCESS_TOKEN> header instead of using it in the typical Authorization: Bearer <ACCESS_TOKEN> header.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms