# On-Behalf-Of Flow This flow is designed for server-side applications that need to perform operations on behalf of a specific user or customer without an interactive login session. ## **Generate an On-Behalf-Of Access Token** Your application makes a single `POST` request to the appropriate token endpoint found in your [metadata](/developer-portal/guides/authentication/metadata) as a client to generate a user-specific access token. * **Method**: `POST` * **Endpoint**: Your **Access Token URL** (from your client application's metadata). * **Example Base Access Token URL for Client on behalf of a User** ``` https://ai.egain.cloud/system/auth/TMPRODB88619984-U/oauth2/token ``` * **Example Base Access Token URL for Client on behalf of a Customer** ``` https://ai.egain.cloud/system/auth/TMPRODB88619984-C/oauth2/token ``` **Headers:** | Header | Value | | --- | --- | | `Content-Type` | `application/x-www-form-urlencoded` | **Body Parameters (`application/x-www-form-urlencoded`):** | Parameter | Relevance | Description | | --- | --- | --- | | `grant_type` | Required | Must be set to `password`. | | `client_id` | Required | The Client ID for your application. | | `client_secret` | Required | The Client Secret for your application. | | `scope` | Required | A space-separated list of scopes. You can include any combination of scopes assigned to your client application in a single request. This allows you to generate one multi-purpose token for your entire application, or separate tokens for specific tasks, depending on your architectural needs. | | `subject_username` | **Conditional** | The username of the user on whose behalf the token is being requested. | | `subject_userid` | **Conditional** | The unique ID of the user on whose behalf the token is being requested. | | `subject_email` | **Conditional** | The unique email address of the customer on whose behalf the token is being requested. | > **User Identification and Best Practices:** * You must provide either `subject_username` or `subject_userid` to identify the user. * You must provide `subject_email` to identify the customer. * It is **recommended to use `subject_username`** to ensure optimal performance, as using `subject_userid` can increase latency. * **Example Full Token cURL for a User:** ```curl curl --location --request POST 'https://ai.egain.cloud/system/auth/TMPRODB88619984-U/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'client_id=7121f585-e403-4531-9a38-1826ebc7e7d8' \ --data-urlencode 'client_secret=*****************' \ --data-urlencode 'scope=knowledge.portalmgr.onbehalfof.read' \ --data-urlencode 'subject_username=pa' ``` **Next Steps:** - [Make Authenticated Requests](/developer-portal/guides/authentication/making-requests)