Skip to main content

🔐 Setting Up Client Credentials Grant with AWS Cognito and Tyk API Gateway

Marvin Huaco
  • Updated

 

Overview

This guide explains how to configure the OAuth 2.0 Client Credentials Flow using:

  • AWS Cognito as the Identity Provider (IdP)

  • Tyk API Gateway to secure your APIs

  • Basic Authorization to request access tokens from Cognito

This setup is ideal for machine-to-machine (M2M) communication between applications.

🔧 AWS Cognito Setup

1. Create a Cognito User Pool

  • Go to Amazon Cognito → User Pools

  • Click “Create user pool”

  • Follow the prompts to create a user pool with default settings

2. Navigate to Domain Page & Verify Scope

  • In the left-hand navigation pane, click Domain

  • Once on the Domain page, click Resource servers

  • Locate and click edit on the existing resource server

  • Ensure that a scope like tyk exists

  • Take note of both the resource server identifier and the scope name — they are required in your token request

✅ Example scope: default-m2m-resource-server-tet6pa/tyk

3. Create an App Client

  • In the left menu, go to App clients

  • On the App clients page click  “Create app client” button

  • Next, choose the Machine-to-machine application option

  • Name your client and proceed

After the app client is created:

  • Copy the Client ID and Client Secret

  • These will be used for Basic Auth when requesting the token

4. Enable Scope in Login Settings

  • Click on the Login pages tab

  • Click Edit

  • Under Custom scopes, ensure the scope (e.g., tyk) is selected

 

🛡️ Tyk API Side

  • In the Tyk Dashboard, create a new API

  • Set Authentication mode to JWT

  • For this example, no claims are required

  • Save and apply your changes

 

 

📡 Making the Token Request (Client Credentials)

 

Query Parameters:

Include the following query parameters in your request URL:

   grant_type=client_credentials
   client_id=YOUR_CLIENT_ID
   scope=RESOURCE_SERVER_ID/scope-name

Next, navigate to the Authorization tab, select Basic Auth, and enter your credentials:

  • Username: Your App Client ID

  • Password: Your App Client Secret

Both values can be found in the App Client settings within the AWS Cognito console.

 

Then, make sure the Content-Type header is set to application/x-www-form-urlencoded.

Click Send to retrieve the access token from AWS Cognito.

Lastly, add the Authorization header with the access token to make the API call. In this example, we are calling API-B.

 

✅ Summary

With this setup, you’ve achieved:

  • M2M authentication via AWS Cognito's client credentials grant

  • Token-based access using JWT with Tyk

Related articles

Comments

0 comments

Please sign in to leave a comment.