Also known as machine to machine, this flow allow an application to authenticate itself as an application.

You need to have a client-id with the client-credentials grant type authorized.

Only one step for this flow, to retrieve an access token you have to make POST request with your CLIENT_ID and CLIENT_SECRET :

curl --location 'http://api-eu.preprod.decathlon.net/connect/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--form 'grant_type="client_credentials"' \
--form 'client_id="clientid"' \
--form 'client_secret="clientsecret"'
                                                    
                                                

That will return the following response (elements in square brackets are Placeholders) :

{
    "access_token": "[JWT]",
    "token_type": "bearer",
    "expires_in": 899,
    "scope": "[SCOPES]",
    "jti": "[TOKEN IDENTIFIER]"
}
                                                
                                            

Response example with values :

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJwcm9maWxlOndyaXRlIiwiZW1haWw6d3JpdGUiLCJzcG9ydHMiLCJvcGVuaWQiLCJwcm9maWxlIiwic3BvcnRzOndyaXRlIiwiZW1haWwiXSwiaXNzIjoiaHR0cHM6Ly9hcGktZXUucHJlcHJvZC5kZWNhdGhsb24ubmV0L2Nvbm5lY3QiLCJleHAiOjE2Mjc1NDYwODQsImlhdCI6MTYyNzU0NTE4NCwianRpIjoiM2NheDJkZlk0dnF0NUlTM3VIU3l1T1RTMTlBIiwiY2xpZW50X2lkIjoiMDk5ZDIzMDUtM2NkMi00YjE1LThlNTctMTc3NDdiZjJjMGEyIn0.TVKxvx8bNbfnJaqiyBZrpdE_F4mjdxV3bNkq3aTrUoZGQk1sjrCgZkobETnNwrcBp5iH0DWK05qJeO2SakeeV87dleNbhXuEdKiFe91rdTs0Nm-EEiieS552FIucZE6eO44wy0CvnsMPgAi2NsEp_-1X24gW2Cpzvvjs8ZH9y5W3eTac2EgUUeONwc2v_IQ56SlOgKIuqCd8S1Ni-homoBucofVGPmdfxw2-VCqgkWx0sEEZruuxV6nIag6M8-AK633EMJBmcR67VYfpV1N02zZNJkJ2QUHfV-JFRiMXHx-IMbCdQKxlRW5zlXfmM_2hNGKo7P_cE6X7ETJBB8AxdA",
    "token_type": "bearer",
    "expires_in": 899,
    "scope": "profile:write email:write sports openid profile sports:write email",
    "jti": "3cax2dfY4vqt5IS3uHSyuOTS19A"
}