releases.shpreview

Strict third-party apps now support M2M with client_credentials

2 featuresThis release2 featuresNew capabilitiesAI-tallied from the release notes
From the original release noteView original ↗

We're happy to announce that strict third-party applications now support machine-to-machine (M2M) access using the client_credentials grant type.

As you expose your APIs to AI agents and partner backend services that operate without a user in the loop, you need those integrations to work within the same secure-by-default posture as the rest of your third-party application setup. This release makes that possible.

M2M-third-party-app

What's included:

  • client_credentials grant type support for strict third-party applications, available via the Management API and Dashboard.
  • Organization-scoped M2M access: strict third-party applications can request access tokens within the scope of a specific organization, with the same explicit grant requirements that apply to all M2M applications. Learn more about M2M access for organizations.
  • M2M access is intentionally restricted to applications created manually via the Management API or Dashboard. Applications registered via Dynamic Client Registration are excluded to prevent uncontrolled token issuance by unvetted third parties.

To learn more, visit the Third-Party Applications documentation.

Fetched June 2, 2026