2 min read
The grant, step by step
Client credentials is the machine-to-machine OAuth grant: there is no user in the loop, so no browser redirect and no authorisation code. Your server holds a client_id and client_secret, posts them to the token endpoint, and receives an access token it uses until the token expires — then it repeats. Keep the secret on the server only; it must never reach a browser or mobile client.
Mint a token at POST /partner/v1/oauth/token:
Requesting a token
curl -s -X POST https://hub.credicorp.co.uk/partner/v1/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d grant_type=client_credentials \
-d client_id=$CREDICORP_CLIENT_ID \
-d client_secret=$CREDICORP_CLIENT_SECRET \
-d scope='applications:write decisions:read'The response is a bearer token with an expiry (expires_in, in seconds) and the granted scope. Cache it and reuse it until shortly before expiry rather than minting one per request — the token endpoint is itself rate-limited.
Using and verifying the token
Send the token on every partner call as Authorization: Bearer <access_token>. Tokens are signed JWTs; if you want to verify them yourself — for instance in a resource server of your own — fetch the public keys from the JWKS endpoint and validate the signature, issuer and audience. Introspection is also available at POST /partner/v1/oauth/introspect for opaque validation.
The ring publishes its OAuth metadata at the standard /.well-known/oauth-authorization-server discovery document, so most OAuth libraries can configure themselves automatically from the base URL.
Frequently asked questions
Why client credentials and not authorization code?
There is no end user signing in — your server is acting as itself against the partner API. Client credentials is the OAuth grant designed for that machine-to-machine case, so there is no redirect, no code exchange and no refresh token.
How long does an access token last?
Tokens are short-lived; the exact lifetime is returned in expires_in on each token response. Cache and reuse a token until just before it expires, then request a new one — do not mint a fresh token on every API call.
Related reading

The partner API, at a glance
The /partner/v1 ring is the token-gated integration API — take applications, read decisions, provision…
Read →
Scopes and least privilege on partner/v1
Request only the scopes your integration actually uses. A credential scoped to applications:write cannot read…
Read →
The access-token lifecycle
A partner access token is minted, cached, reused until just before expiry, then re-minted. There is no…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.