Once you have created an API Client in Keycloak, use your credentials to obtain an access token.
Best for Automation Use Machine-to-Machine (M2M) authentication for CI/CD pipelines (Jenkins, GitHub Actions) and background services. This method supports zero-downtime credential rotation.
Prerequisites
You need the client_id and client_secret from your API Client Setup.
Request Token
Use the Client Credentials Grant flow to exchange your ID and Secret for a Bearer token.
# 1. Set your credentials (export them in your shell or CI/CD env)
export BINARLY_CLIENT_ID="your-client-id"
export BINARLY_CLIENT_SECRET="your-client-secret"
# Replace {slug} with your organization's tenant identifier
export BINARLY_AUTH_URL="https://auth-{slug}.binarly.cloud/realms/BinarlyRealm/protocol/openid-connect/token"
# 2. Request the token
curl -s --fail-with-body \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=${BINARLY_CLIENT_ID}" \
--data-urlencode "client_secret=${BINARLY_CLIENT_SECRET}" \
"${BINARLY_AUTH_URL}"
Response
The API returns a JSON object containing your access_token.
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 1800
}
Using the Token
Include the token in the Authorization header when making API requests:
Authorization: Bearer <access_token>
Note: Tokens expire after 30 minutes. Your automation should request a fresh token before each job or handle 401 Unauthorized errors by refreshing credentials.
