# Password Flow

> ⚠️ **It is not recommended to use the password flow**
due to the inherent risks of collecting and storing user password on a client application.


Password grant type is an OAuth 2.0 protocol flow for authenticating users, and is designed for legacy
applications. We recommend Authorization Code flow for retrieving user tokens if possible,
this ensures that no access tokens are sent to the browser.

If you are writing a native or single-page applications that can not store a
`client_secret` securely we recommend [Authorization Code with PKCE](/apis/platform/ids/flows/authorization-code-with-pkce).

## Token request

Requesting tokens with password flow is done by sending a users credentials to the `POST /connect/token` endpoint.
The request body requires a `client_id`, a `grant_type` equal to `password`, and the users credentials.

### POST /connect/token


```HTTP
POST https://id.aritma.io/{tenant}/connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

  client_id=YOUR_CLIENT_ID&
  client_secret=YOUR_CLIENT_SECRET&

  grant_type=password&
  username=USERNAME&
  password=PASSWORD
```


```HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}
```

| Parameter | Description |
|  --- | --- |
| grant_type (required) | Denotes the flow you are using. For Authorization Code, use `password`. |
| client_id (required) | Your application's Client ID. |
| client_secret (required) | Your application's Client Secret. |
| username (required) | The username of the user. |
| password | The password for the user. |