All Collections
Getting started with Client Credentials Flow for Creative Force Gateway API
Getting started with Client Credentials Flow for Creative Force Gateway API
Ian Mitchell avatar
Written by Ian Mitchell
Updated over a week ago

The Creative Force Gateway API allows for a client's credentials to be used as a method of authentication.

Available Creative Force Gateway API methods can be found here:

The OAuth Flow

The following diagram shows the flow for the Client Credentials access type:

  1. Authenticate w/ Client ID and Secret: The app authenticates with the authorization server using its client ID and client secret.

  2. Issue Access Token: The authorization server validates the client ID and client secret and issues an access token.

  3. Request Resource w/ Access Token: The app attempts to access the resource from the resource server by presenting the access token.

  4. Return Resource: If the access token is valid, the resource server returns the resources to the app.

Step 1. Register App

You'll need to register your app before getting started. A registered app is assigned a unique Application ID (OAuth: Client ID) and Secret Key (OAuth: Client Secret) which will be used in the Client Credentials flow. The Client Secret should not be shared.

  1. Go to Studio settings -> Integrations -> Register Apps

  2. Click “REGISTER APP”.

  3. Choose Client Credentials for Allowed Grant Type.

  4. Enter an application name and description.

  5. Choose a user that the Application will behalf on. You can create a new user if needed. The application will use that user’s permissions, role and group, but not the password or token of that user.

Step 2. Get access token

To get the access token, you should programmatically (or via Postman, curl or similar tools) make a request to the URL stated below using the parameters listed.

The access token URL


  • client_id=[Application ID from the registered App]

  • client_secret=[Secret Key from the registered App]

  • scope=cfgateway

  • grant_type=client_credentials


curl --location --request POST '' \
--header 'User-Agent: TestClient/1.0' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=9735b650-c637-xxxxxxxxxx' \
--data-urlencode 'client_secret=c74ebd420xxxxxxxxxx' \
--data-urlencode 'scope=cfgateway'

The result of the request will be an access_token like:

"access_token": "jG0iaVeyyatI0Kxxxxxxxxxx",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "cfgateway"

This token should be stored and used for API requests on the Creative Force Gateway API.

Refreshing an expired access token

The access token will be expired:

  • After 1 hour

  • After generating a new secret key

  • After changing the on behalf user

This access token is separated from the on behalf user’s token, therefore no impact to that user.

To refresh, you will have to get a new access token as mentioned in Step 2.

Making API Requests

When making requests to the Creative Force Gateway API, you must use the access token as part of your request.


curl --location --request GET '' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer jG0iaVeyyatI0Kxxxxxxxxxx'

Did this answer your question?