# Client Credentials Flow

The purpose of following the OAuth2 flow is to help you retrieve an access token using your application's private client credentials.
Complete details of the specification are available in [RFC 6749 section 4.4](https://www.rfc-editor.org/rfc/rfc6749#section-4.4).

Send the following parameters www-form-encoded in the request body to the token endpoint:

| Environment | Token Endpoint |
|  --- | --- |
| Production | https://auth.dailypay.com/oauth2/token |
| UAT | https://auth.uat.dailypay.com/oauth2/token |



```json
{
  "$ref": "#/components/schemas/ClientCredentialsTokenRequest",
  "components": {
    "schemas": {
      "ClientCredentialsTokenRequest": {
        "type": "object",
        "title": "Client credentials flow",
        "required": [
          "grant_type",
          "scope",
          "client_id",
          "client_secret"
        ],
        "properties": {
          "grant_type": {
            "type": "string",
            "description": "The OAuth2 grant type",
            "const": "client_credentials"
          },
          "scope": {
            "type": "string",
            "description": "A space-separated list of scopes to request",
            "example": "client:lookup health:read"
          },
          "client_id": {
            "description": "The client id of the application requesting the token.",
            "type": "string",
            "example": "your_client_id"
          },
          "client_secret": {
            "type": "string",
            "description": "The client secret of the application requesting the token.",
            "example": "your_client_secret"
          }
        }
      }
    }
  }
}
```

The resulting access token can be used to make requests to the DailyPay REST API:

> The authorization code, access token, and refresh tokens can vary in size but will typically remain under 4096 bytes.