2 min read
The full cycle
The lifecycle is a short loop. Your server posts its client credentials to the token endpoint, caches the returned token alongside its expiry, and attaches it to every partner call. Shortly before the token expires it mints a fresh one and swaps it in. Because there is no user session, there is no refresh token — the client-credentials grant re-mints from the same secret each time.
Caching correctly
Key the cache by client and scope, and store the absolute expiry (now + expires_in, minus a safety margin of a few seconds). Serve the cached token to every worker rather than minting one per request — the token endpoint is rate-limited and a mint-per-call pattern will throttle you fast. In a multi-process deployment, share the token through a small cache (for example Redis) so all workers reuse one live token.
Handling expiry mid-flight
Even with a margin, a token can expire between your check and the server's clock. Treat a 401 with an expired-token reason as a signal to mint once and retry the request exactly once. Do not retry blindly on every 401 — an invalid credential (bad secret, revoked client) also returns 401, and retrying that just burns your token-endpoint quota.
Frequently asked questions
Is there a refresh token?
No. The client-credentials grant has no refresh token because there is no user session to keep alive. When your access token expires you request a new one directly from the token endpoint using the same client credentials.
How many tokens should my service hold at once?
Ideally one live token per (client, scope) pair, shared across your workers. Minting a token per request or per worker wastes your token-endpoint rate-limit budget and offers no benefit.
Related reading

OAuth 2.0 client credentials for partner/v1
Partner API calls authenticate with the OAuth 2.0 client-credentials grant. You exchange a client ID and…
Read →
Scopes and least privilege on partner/v1
Request only the scopes your integration actually uses. A credential scoped to applications:write cannot read…
Read →
Rate limiting across both rings
The public ring is metered at 60 requests per 60 seconds per IP. The partner ring uses a token bucket scoped…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.