> ## Documentation Index
> Fetch the complete documentation index at: https://developer.fabric.inc/llms.txt
> Use this file to discover all available pages before exploring further.

# System App Authentication

A system app uses OpenID Connect's [Client Credential Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) to obtain an access token referred to as **system token**. Before starting, ensure the necessary app credentials and URLs are available as mentioned in the [Getting Started](/v3/api-reference/authentication-v3/authentication-endpoints/fetch-access-token) guide.

### Getting system token

In the [Client Credential Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4), get an access token by calling the `/token` endpoint:

`curl --location --request POST '${Authorization Url}/v1/token' \ --header 'accept: application/json' \ --header 'authorization: Basic <base64(${client-id}:${client-secret})>' \ --header 'cache-control: no-cache' \ --header 'content-type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'scope=s2s'
`

The `authorization:` header in the request above is determined per [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic%5Faccess%5Fauthentication) where the `client-id` and `client-secret` are used as *username* and *password*, respectively. `Authorization Url` is a unique URL of each fabric merchant. It's common across all system apps defined for a single merchant.

fabric Identity returns the access token in the following response:

`{
    "token_type": "Bearer",
    "expires_in": 600,
    "access_token": "eyJraWQiOiIt...",
    "scope": "s2s"
}
`

`access_token` is the system token generated by fabric Identity and is used by the system app for all subsequent fabric API calls. System token expiration is set to 10 minutes (600 seconds) by default. Once the token expires, the API client is expected to generate another access token using the same HTTP call shown above.

### Using system token

Upon receiving a valid access token, the API client can call any fabric API by specifying the `access_token` as the [Bearer token](https://datatracker.ietf.org/doc/html/rfc6750) in the `authorization` header:

`curl --location --request GET '${fabric Endpoint Url}/v1/product' \ --header 'accept: application/json' \ --header 'authorization: Bearer ${access_token}' \ --header 'cache-control: no-cache' \
`
