Troubleshooting issues with the client credentials grant type

This section describes common issues that may be encountered when using the client credentials grant type in API Gateway and provides troubleshooting guidance for resolving them.

Policies not working as expected

The client credentials grant type does not have an associated service account. Therefore, certain API Gateway policies that depend on user association may return empty values or behave differently.

Header Policy: When identity2 information is requested, the response is empty.
Quota Policy: When the userlevel attribute is set to true, the policy does not apply correctly, and the quota is enforced at the tenant level.
UserSecurityClaims Policy: This policy does not return results because no user is associated with the token.

Unsupported features

Some features are disabled for backend service authorized applications that use the client credentials grant type.

IONAPI Bridge functionality is not supported. The following controls are disabled:
- User Impersonation
- ID Translation
- Upload Public Key
- Generate Key Pair
Refresh tokens are not supported. The Issue Refresh Tokens toggle is disabled.

Invalid grant type error

Token generation may fail if the grant type of the authorized application does not match the grant type specified in the token request. Verify that both configurations use the same grant type value.

Target API authentication failure

Some target API servers enforce additional user-based authentication. These APIs may reject requests made with the client credentials grant type, even when the same request passes authentication in the API Gateway. Ensure that the correct grant type is selected based on the target server’s authentication requirements.