Documentation

OAuth 2.0 Client Credentials in GravityWP API Connector

OAuth 2.0 Client Credentials is an authentication flow designed for server-to-server access. It is used when an API provider allows your site to authenticate using a Client ID and Client Secret, then exchange those credentials for an access token via a Token URL.

Unlike OAuth 2.0 Authorization Code, Client Credentials does not use a consent screen, and it does not require a redirect URL (callback URL). There is no user approval step. Your site simply requests a token directly from the provider.

This method is common for platforms that support “machine” or “service” authentication, including many CRM-style tools, internal APIs, and systems that issue server tokens for integrations.

When to use OAuth 2.0 Client Credentials

Use OAuth 2.0 (Client Credentials) when an API provider:

  • gives you a Client ID and Client Secret
  • provides a Token URL used to request an access token
  • does not require a user to log in and approve access
  • describes its OAuth setup as server-to-server, machine-to-machine, or client credentials flow

If the provider gives you a single static token (that you paste once), a Bearer Token connection is usually the better fit.

If the provider requires a consent screen and a redirect URL (callback URL), use OAuth 2.0 (Authorization Code) instead.

What API Connector needs for Client Credentials

When you choose OAuth 2.0 (Client Credentials) in API Connector, the connection editor includes these fields:

  • API Name
  • Slug
  • Base URL
  • Authentication method
  • Client ID
  • Client Secret
  • Token URL
  • Scope (optional)

Key terms

Client ID

A public identifier for your integration app (created in the provider’s developer portal).

Client Secret

A private value paired with the Client ID. Treat it like a password.

Base URL

The base domain for API requests. API Connector uses this as the starting point, and your feed endpoints are typically written as paths relative to it.

Token URL

The provider endpoint used to exchange your client credentials for an access token.

Scope (optional)

A permission string that limits what the token can access. Some providers require scopes. Others ignore the field or use a different permission model.

How OAuth 2.0 Client Credentials works in API Connector

In API Connector, this authentication method is used inside the feed, meaning:

  1. Your feed runs (GET, POST, etc.).
  2. API Connector requests an access token from the Token URL using the Client ID and Client Secret.
  3. API Connector sends the API request using the access token.

Because of that, you typically won’t “authorize” the connection in the browser. The token request happens when the feed executes.

Create an OAuth 2.0 Client Credentials connection

Go to the API Connector settings page in WordPress and add a new API connection.

Fill in the fields using the values from your provider’s OAuth documentation or developer settings:

  • API Name: a label that helps you recognize the connection later
  • Slug: a unique identifier for this connection (cannot be changed after saving)
  • Base URL: the API base domain you want to call
  • Authentication method: OAuth 2.0 (Client Credentials)
  • Client ID: from your provider app settings
  • Client Secret: from your provider app settings
  • Token URL: from your provider’s OAuth documentation
  • Scope (optional): only if your provider requires it