> ## Documentation Index
> Fetch the complete documentation index at: https://developer.hellgate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Request an access token

> Exchange your client ID and client secret for an OAuth2 access token using the client-credentials grant. Send the credentials with HTTP Basic authentication and the form fields as `application/x-www-form-urlencoded`.



## OpenAPI

````yaml /platform/openapi.yaml post /oauth2/token
openapi: 3.1.0
info:
  title: Authentication API
  description: >-
    Issue OAuth2 access tokens for Hellgate Cloud Platform services using the
    client-credentials grant.
  version: '1.0'
  contact:
    name: Starfish GmbH & Co. KG
    email: hello@starfish.team
    url: https://hellgate.io
  license:
    name: Hellgate API Terms
    url: https://hellgate.io/terms-and-conditions
servers:
  - url: https://auth.eu1.hellgate.cloud
    description: EU1 environment
security: []
tags:
  - name: OAuth2
    description: OAuth2 token endpoint.
paths:
  /oauth2/token:
    post:
      tags:
        - OAuth2
      summary: Request an access token
      description: >-
        Exchange your client ID and client secret for an OAuth2 access token
        using the client-credentials grant. Send the credentials with HTTP Basic
        authentication and the form fields as
        `application/x-www-form-urlencoded`.
      operationId: requestAccessToken
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - grant_type
                - scope
                - audience
              properties:
                grant_type:
                  type: string
                  enum:
                    - client_credentials
                  description: Must be `client_credentials`.
                scope:
                  type: string
                  description: >-
                    Space-delimited list of scopes to request. Required — there
                    are no default scopes. Must be a subset of the scopes
                    provisioned on your client.
                  example: decisions:create
                audience:
                  type: string
                  description: >-
                    Space-delimited list of audiences — the service instances
                    the token may call. Each audience is the instance name only,
                    not its full hostname (for example, `my-lovely-specter-42`,
                    not `my-lovely-specter-42.eu1.on-hellgate.cloud`). Required
                    — there is no default audience. Must be within the audiences
                    provisioned on your client. The target service validates the
                    token's `aud` claim on each request.
                  example: my-lovely-specter-42
      responses:
        '200':
          description: The access token was issued.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
        '401':
          description: The client credentials are missing or invalid.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenError'
      security:
        - basicAuth: []
components:
  schemas:
    TokenResponse:
      type: object
      required:
        - access_token
        - token_type
        - expires_in
      properties:
        access_token:
          type: string
          description: The signed JWT to send as a bearer token on API requests.
        token_type:
          type: string
          description: Always `bearer`.
          example: bearer
        expires_in:
          type: integer
          description: Seconds until the token expires. Tokens are valid for 30 minutes.
          example: 1800
        scope:
          type: string
          description: The scopes granted on the token.
          example: decisions:create
      example:
        access_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
        token_type: bearer
        expires_in: 1800
        scope: decisions:create
    TokenError:
      type: object
      required:
        - error
      properties:
        error:
          type: string
          example: invalid_client
        error_description:
          type: string
          example: Client authentication failed.
      example:
        error: invalid_client
        error_description: Client authentication failed.
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic
      description: Your client ID and client secret, sent as HTTP Basic credentials.

````