> ## Documentation Index
> Fetch the complete documentation index at: https://docs.binarly.io/llms.txt
> Use this file to discover all available pages before exploring further.

# M2M Authentication

Once you have created an API Client in Keycloak, use your credentials to obtain an access token.

<Tip>
  **Best for Automation** Use Machine-to-Machine (M2M) authentication for **CI/CD pipelines** (Jenkins, GitHub Actions) and background services. This method supports zero-downtime credential rotation.
</Tip>

## Prerequisites

You need the `client_id` and `client_secret` from your [API Client Setup](/api-reference/authentication/create-api-client).

## Request Token

Use the Client Credentials Grant flow to exchange your ID and Secret for a Bearer token.

<CodeGroup>
  ```bash Request theme={null}
  # 1. Set your credentials (export them in your shell or CI/CD env)
  export BINARLY_CLIENT_ID="your-client-id"
  export BINARLY_CLIENT_SECRET="your-client-secret"
  # Replace {slug} with your organization's tenant identifier
  export BINARLY_AUTH_URL="https://auth-{slug}.binarly.cloud/realms/BinarlyRealm/protocol/openid-connect/token"

  # 2. Request the token
  curl -s --fail-with-body \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode "grant_type=client_credentials" \
    --data-urlencode "client_id=${BINARLY_CLIENT_ID}" \
    --data-urlencode "client_secret=${BINARLY_CLIENT_SECRET}" \
    "${BINARLY_AUTH_URL}"
  ```
</CodeGroup>

### Response

The API returns a JSON object containing your `access_token`.

```json theme={null}
{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 1800
}
```

## Using the Token

Include the token in the `Authorization` header when making API requests:

`Authorization: Bearer <access_token>`

> **Note**: Tokens expire after 30 minutes. Your automation should request a fresh token before each job or handle `401 Unauthorized` errors by refreshing credentials.