The OAuth2 client credentials grant type is designed for machine-to-machine authentication where no user is involved. A client (like an MCP server) exchanges its client ID and client secret for an access token.
Use client credentials for server-to-server communication, background jobs, and automated systems that don't act on behalf of a specific user.
GitHat issues client credentials to verified MCP servers. Servers exchange them for 5-minute access tokens via POST /mcp/token.
Yes, when credentials are kept server-side. Never expose client secrets in client-side code. Combined with short token TTL, it's a secure M2M auth pattern.
Ship authenticated apps in minutes, not weeks.