An OAuth client bearer token grants access to the Content Management API , which lets applications work with Content Hub ONE data to manage content types, content, and media. OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information without giving them their passwords. In a backend integration Client Credentials flow, a successful authentication request requires the following client credential properties, which can be retrieved from the Content Hub ONE app:




The grant_type is always set to client_credentials.


The client ID for the app.


The client secret for the app.


The audience for your tenant. This will be in the form


The authority for your tenant. This is the POST URL, in the form

The following example of a Generate token x-www-form-urlencoded POST request shows the authentication properties required to create an OAuth client bearer token.

example of authentication properties

When using OAuth for authentication, the user information shows changes as being done by the System User.

Create an OAuth client bearer token

Using the client credentials, you can create a token, which you use to authenticate to the Content Management API.


The Settings menu is only visible if you have the Admin role.

To create an OAuth client bearer token:

  1. On the menu bar, click Settings and, in the INTEGRATION section of the left pane, click OAuth client.

  2. On the OAuth client page, in the Grant type section, click Client credentials.

  3. Copy the client credentials, paste them in your development tool, and then execute the Generate token method.

This generates an access token like the one in the following response.


  "access_token": "ciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im1",
  "scope": "hc.mgmnt.types:read hc.mgmnt.types:write hc.mgmnt.items:manage hc.mgmnt.states:publish hc.mgmnt.apikeys:manage hc.mgmnt.clients:read hc.mgmnt.users:read mms.upload.file:add mms.upload.file:remove",
  "expires_in": 900,
  "token_type": "Bearer"

You use this access token to authenticate with the Content Management API. The expires_in parameter is the number of seconds that the access token is valid.


The Device grant type is used with the CH ONE CLI to perform operations in the context of a user account. With the CLI, use the Client credentials grant type only when running the CLI in automation.

Do you have some feedback for us?

If you have suggestions for improving this article,