We use OpenID Connect 1.0 which basically works on top of OAuth 2.0 to allow services to verify the identity of an end-user or a client. This is based on the authentication performed by an open-source authentication server, Keycloak. The server can be accessed at
We configured Client Credentials Grant for the scope of this integration. It allows us to authenticate a client and retrieve its access token dedicated to limited resources by utilizing client id and client secret.

The client should obtain an access token by sending an HTTP POST request to the authentication server with its client idand client secret.
Here is the cURL example to obtain an access token:
curl --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client_name>' \
--data-urlencode 'client_secret=7f1ceaa0-869a-493f-81d7-994b601f657a' \
--data-urlencode 'grant_type=client_credentials'
If the credentials get successfully validated by the authentication server (i.e. Keycloak), the server responds back with an access token right away. Having received an access token, the client can then send GraphQL query requests using that access token.
Tip: According to Oauth 2.0 specs, the refresh tokens should not be used in this kind of flow. So whenever the access token expires, the client should send another request to obtain a new access token.

"realm": "ouva",
"auth-server-url": "",
"resource": "<client_name>",
"credentials": {
"secret": "7f1ceaa0-869a-493f-81d7-994b601f657a"
Copy link
On this page
Sample Request
Sample Client Configuration