> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.generaltranslation.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Application Access to APIs: Client Grants

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [processedChildren, setProcessedChildren] = useState(children);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      unsubscribe = window.autorun(() => {
        let processedChildren = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          processedChildren = processedChildren.replace(new RegExp(key, "g"), value);
        }
        setProcessedChildren(processedChildren);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  return <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
      {processedChildren}
    </CodeBlock>;
};

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  API Access Policies for Applications is currently available in [Early Access](/docs/ja-JP/troubleshoot/product-lifecycle/product-release-stages). By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/?_gl=1*agihqh*_gcl_au*NjM2NjA1MDg4LjE3NTM5ODE4NjY.*_ga*MTgyNDA4MjM2Ny4xNzE1MTAyMjQy*_ga_QKMSDV5369*czE3NTQ0NzQ3NTAkbzM1MyRnMSR0MTc1NDQ3NjU5MCRqNiRsMCRoMA..).
</Callout>

In Auth0, you can control how applications access your APIs using [application API access policies](/docs/ja-JP/get-started/apis/api-access-policies-for-applications) and client grants.

A client grant provides fine-grained application access to an API. It associates:

* An API identified by its `audience` or unique identifier.
* An application identified by its `client_id`.
* A list of permissions such as scopes and/or `authorization_details_types` that the application is allowed to request for the specified audience.

To learn more about the list of attributes you can define in a client grant, read [Client grant attributes](#client-grant-attributes). To learn how to define and manage client grants, read [Configure client grants](#configure-client-grants).

<div id="application-api-access-policies-and-client-grants">
  ## Application API access policies and client grants
</div>

When you configure an API's [application access policy](/docs/ja-JP/get-started/apis/api-access-policies-for-applications) to `require_client_grant`, only applications with a client grant defined can get an access token for the API. The client grant establishes the maximum permissions an application can request from the API by following the least privilege principle approach. As a result, Auth0 recommends using `require_client_grant` when configuring an API’s application access policy.

<div id="example-social-media-api">
  ### Example: Social Media API
</div>

To illustrate how client grants follow the least privilege principle approach, say you have a Social Media API with the permissions: `read:posts`, `write:posts`, `read:friends`, and `delete:posts`. You create an application and define a client grant with the permissions: `read:posts` and `write:posts`.

This client grant now serves as a hard ceiling. Even though the Social Media API has other permissions, your application can never request or be granted `read:friends` or `delete:posts`.

<div id="user-access-vs-client-access-flows">
  ## User access vs. client access flows
</div>

In user access and client access flows, client grants define the final set of permissions that control an application’s access to an API. The client grant’s `subject_type` attribute determines the type of application access allowed for an API.

An application can have up to two client grants for a single API:

* When you set `subject_type` to `client`, you define its machine-to-machine permissions.
* When you set `subject_type` to `user`, you define its permissions to act on the user’s behalf.

The following table explains how client grants control application access to APIs based on the access type flow:

<table class="table">
  <thead>
    <tr>
      <th><strong>Access type</strong></th>
      <th><strong>subject\_type attribute</strong></th>
      <th><strong>Description</strong></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>Client Credentials Flow (Machine-to-machine access flow)</td>
      <td>Set <code>subject\_type</code> to <code>client</code>.</td>
      <td>The client grant directly authorizes the application to access the API on its own behalf instead of the end user’s behalf. The permissions you define in the client grant are the ones the application is authorized to receive in the access token.</td>
    </tr>

    <tr>
      <td>User access flows</td>
      <td>Set <code>subject\_type</code> to <code>user</code>.</td>
      <td>The client grant defines the maximum permissions the application can request from the API. The final permissions in the access token issued to the application on the user’s behalf are the intersection of the permissions:<br /><ul><li style={{fontSize: ".875rem"}}>Requested by the application</li><li style={{fontSize: ".875rem"}}>Allowed by the client grant</li><li style={{fontSize: ".875rem"}}>Allowed by <a href="/docs/ja-JP/manage-users/access-control/rbac">Role-Based Access Control policies</a> for the user</li><li style={{fontSize: ".875rem"}}><a href="/docs/ja-JP/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications">Consented to by the end user</a>, if applicable.</li></ul><br />To learn more about user access flows, read <a href="/docs/ja-JP/get-started/authentication-and-authorization-flow">Authentication and Authorization Flows</a>. User access flows do not include the Client Credentials Flow.</td>
    </tr>
  </tbody>
</table>

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  You can modify the final scopes granted by the authorization server to the application or user using [Actions](/docs/ja-JP/customize/actions).
</Callout>

<div id="client-grant-attributes">
  ## Client grant attributes
</div>

A client grant has several attributes that you can define to configure application access to APIs:

<table class="table">
  <thead>
    <tr>
      <th><strong>Attribute</strong></th>
      <th><strong>Description</strong></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>id</code></td>
      <td>Unique identifier of the client grant.</td>
    </tr>

    <tr>
      <td><code>audience</code></td>
      <td>Unique identifier of the API the client grant is for.</td>
    </tr>

    <tr>
      <td><code>client\_id</code></td>
      <td>The unique ID of the application that is being granted access.</td>
    </tr>

    <tr>
      <td><code>scopes</code></td>
      <td>An array of strings representing the permissions the application can request.</td>
    </tr>

    <tr>
      <td><code>authorization\_details\_types</code></td>
      <td>An array of strings representing rich authorization data types that the application can request. This attribute can only be specified for user access flows.</td>
    </tr>

    <tr>
      <td><code>subject\_type</code></td>
      <td>The type of application access the client grant allows for:<br /><ul><li style={{fontSize: ".875rem"}}><code>user</code>: used for user access, which corresponds to all flows that generate a token associated with an end user.</li><li style={{fontSize: ".875rem"}}><code>client</code>: used for machine access, which corresponds to the Client Credentials Flow.</li></ul></td>
    </tr>

    <tr>
      <td><code>organization\_usage</code></td>
      <td>Determines how the application may use organizations when accessing the API via the Client Credentials Flow. Possible values are: <code>deny</code>, <code>allow</code>, or <code>require</code>.<br /><br />To learn more about the Organization settings, read <a href="/docs/ja-JP/manage-users/organizations/organizations-for-m2m-applications/configure-your-application-for-m2m-access#define-organization-behavior">Organizations for M2M Applications: Define Organization Behavior</a>.</td>
    </tr>

    <tr>
      <td><code>allow\_any\_organization</code></td>
      <td>Determines whether the application can access any organization when using the Client Credentials Flow.<br /><br />To learn more about the Organization settings, read <a href="/docs/ja-JP/manage-users/organizations/organizations-for-m2m-applications/configure-your-application-for-m2m-access#define-organization-behavior">Organizations for M2M Applications: Define Organization Behavior</a>.</td>
    </tr>
  </tbody>
</table>

<div id="configure-client-grants">
  ## Configure client grants
</div>

You can use the Management API to configure client grants via the `/client-grants` endpoint.

<div id="create-client-grant">
  ### Create client grant
</div>

To create a new client grant, make a [`POST`](https://auth0.com/docs/api/management/v2/client-grants/post-client-grants) request to the `/client-grants` endpoint.

The following code sample creates a client grant for an application to access the `https://api.my-service.com` API. The `subject_type` is `user`, which means the client grant is for user access, and allows the application to request the `read:item` scope and the `payment` authorization details type.

export const codeExample1 = `curl --location 'https://{yourDomain}/api/v2/client-grants' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--data '{
    "client_id": "{CLIENT_ID}",
    "audience": "https://api.my-service.com",
    "scope": [
        "read:item"
    ],
    "authorization_details_types":["payment"],
    "subject_type": "user"
}'`;

<AuthCodeBlock children={codeExample1} language="bash" />

<div id="update-client-grant">
  ### Update client grant
</div>

To update an existing client grant, make a [`PATCH`](https://auth0.com/docs/api/management/v2/client-grants/patch-client-grants-by-id) request to `/client-grants/{id}`.

The following code sample updates an existing client grant to expand its permissions. The application can now also request the `update:item` scope and an additional `credits_transfer` authorization details type.

export const codeExample2 = `curl --location --request PATCH 'https://{yourDomain}/api/v2/client-grants/{CLIENT_GRANT_ID}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--data '{
    "scope": [
        "read:item",
        "update:item"
    ],
    "authorization_details_types":["payment", "credits_transfer"]
}'`;

<AuthCodeBlock children={codeExample2} language="bash" />

<div id="delete-client-grant">
  ### Delete client grant
</div>

To delete a client grant, make a [`DELETE`](https://auth0.com/docs/api/management/v2/client-grants/delete-client-grants-by-id) request to `/client-grants/{id}`.

The following code sample removes the client grant which revokes the application's access to the API:

export const codeExample3 = `curl --location --request DELETE 'https://{yourDomain}/api/v2/client-grants/{CLIENT_GRANT_ID}' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}'`;

<AuthCodeBlock children={codeExample3} language="bash" />

<div id="retrieve-client-grants">
  ### Retrieve client grants
</div>

You can also query and paginate through the `client-grants` collections by using parameters like `client_id`, `audience`, or `subject_type`.

The following code sample retrieves all client grants that allow for user access to the `https://api.my-service.com` API.

export const codeExample4 = `curl --request GET \
--url 'https://{yourDomain}/api/v2/client-grants?subject_type=user&audience=https%3A%2F%2Fapi.my-service.com' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
--header 'Accept: application/json'`;

<AuthCodeBlock children={codeExample4} language="bash" />

<div id="learn-more">
  ## Learn more
</div>

* [API Access Policies for Applications](/docs/ja-JP/get-started/apis/api-access-policies-for-applications)
* [Application Grant Types](/docs/ja-JP/get-started/applications/application-grant-types)
