An OAuth client bearer token grants access to the Content Management API , which lets applications work with Content Hub ONE data to manage content types, content, and media. OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information without giving them their passwords. In a backend integration Client Credentials flow, a successful authentication request requires the following client credential properties, which can be retrieved from the Content Hub ONE app:

grant_typeThe grant_type is always set to client_credentials.
client_idThe client ID for the app.
client_secretThe client secret for the app.
audienceThe audience for your tenant. This will be in the form
authorityThe authority for your tenant. This is the POST URL, in the form

The following example of a Generate token x-www-form-urlencoded POST request shows the authentication properties required to create an OAuth client bearer token.

Example of authentication properties.

Create an OAuth client bearer token

Using the client credentials, you can create a token, which you use to authenticate to the Content Management API.


The Integration menu is only visible if you have the Admin role.

To create an OAuth client bearer token:

  1. On the menu bar, click Integration > OAuth client.

  2. On the OAuth client page, in the Grant type section, click Client credentials.

  3. Copy the client credentials, enter them in your development tool, and then execute the Generate token method.

This generates an access token like the one in the following response.

    "access_token": "ciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im1",
    "scope": "hc.mgmnt.types:read hc.mgmnt.types:write hc.mgmnt.items:manage hc.mgmnt.states:publish hc.mgmnt.apikeys:manage hc.mgmnt.clients:read hc.mgmnt.users:read mms.upload.file:add mms.upload.file:remove",
    "expires_in": 900,
    "token_type": "Bearer"

You use this access token to authenticate with the Content Management API. The expires_in parameter is the number of seconds that the access token is valid.


The Device grant type is used with the CH ONE CLI to perform operations in the context of a user account. With the CLI, use the Client credentials grant type only when running the CLI in automation.

Do you have some feedback for us?

If you have suggestions for improving this article,