K
Kindeβ€’2w ago
jafjafon

Get access_token and id_token from a k6 load test

I want to write some load tests for my api and i need to get a token in order to do that. Since it is running in the background , I can;t use the browser for doing that. Any help will be appreciated
8 Replies
IkiTg07
IkiTg07β€’2w ago
Hey, I don't see a way you could do that let me ask the team
Ages
Agesβ€’2w ago
Hi, for load testing your API with Kinde authentication, you can use the machine-to-machine (M2M) token approach. Here's how: 1. First, register your API with Kinde and create an M2M application 2. You can then get a token using a POST request to your Kinde domain's token endpoint. Here's an example using Node.js: 
async function getToken() {
    try {
      const response = await fetch(`https://<your_subdomain>.kinde.com/oauth2/token`, {
        method: "POST",
        headers: {
          "content-type": "application/x-www-form-urlencoded"
        },
        body: new URLSearchParams({
          audience: "https://<your_subdomain>.kinde.com/api",
          grant_type: "client_credentials",
          client_id: "<your_m2m_client_id>",
          client_secret: "<your_m2m_client_secret>"
        })
      });

      if (!response.ok) {
        throw new Error(`Response status: ${response.status}`);
      }

      const json = await response.json();
      console.log(json);
    } catch (error) {
      console.error(error.message);
    }
  }

getToken();
async function getToken() {
    try {
      const response = await fetch(`https://<your_subdomain>.kinde.com/oauth2/token`, {
        method: "POST",
        headers: {
          "content-type": "application/x-www-form-urlencoded"
        },
        body: new URLSearchParams({
          audience: "https://<your_subdomain>.kinde.com/api",
          grant_type: "client_credentials",
          client_id: "<your_m2m_client_id>",
          client_secret: "<your_m2m_client_secret>"
        })
      });

      if (!response.ok) {
        throw new Error(`Response status: ${response.status}`);
      }

      const json = await response.json();
      console.log(json);
    } catch (error) {
      console.error(error.message);
    }
  }

getToken();
3. Once you have the token, you can use it in your load tests by including it in the Authorization header: 
curl --request GET \
    --url 'https://<your_subdomain>.kinde.com/api/v1/users' \
    --header 'authorization: Bearer <m2m_access_token>' \
    --header 'content-type: application/json'
curl --request GET \
    --url 'https://<your_subdomain>.kinde.com/api/v1/users' \
    --header 'authorization: Bearer <m2m_access_token>' \
    --header 'content-type: application/json'
Make sure to replace: - <your_subdomain> with your Kinde subdomain - <your_m2m_client_id> with your M2M application client ID - <your_m2m_client_secret> with your M2M application client secret The token response will include a JWT that contains claims including scopes and expiry time . You can then use this token for your load testing tools like JMeter, k6, or any other testing framework that supports setting authorization headers. Let me know if you'd like help setting this up in a specific tool or if you run into any issues.
jafjafon
jafjafonOPβ€’2w ago
Thanks for the reply but i need the user information and M2M token does not contain the user claims
Ages
Agesβ€’2w ago
Hi, Ah, you're right, to retrieve user claims, you'll need to use the Authorization Code flow with PKCE. Below are the steps to obtain a user token via Postman, which you can then use in your load tests: Configure your application in Kinde: - Add https://oauth.pstmn.io/v1/callback to your allowed callback URLs in the application settings. Set up the Postman request: 1. Create a new GET request. 2. In the Authorization tab: - Set Type to OAuth 2.0. - Set Grant Type to Authorization Code (With PKCE). - Enable Authorize using browser. - Set Auth URL to: https://yourbusiness.kinde.com/oauth2/auth?prompt=login - Set Access Token URL to: https://yourbusiness.kinde.com/oauth2/token - Enter your Client ID from the Kinde application. - Set Code Challenge Method to SHA-256. - Set Scope to: openid email offline. 3. Click Get New Access Token and complete the authentication flow. The token you receive will contain user claims. The ID token includes user information, and the access token will carry the necessary permissions. For load testing: - You can retrieve the token once using this method. - Store it securely and use it in your scripts until it expires. - Since you're requesting the offline scope, a refresh token will also be provided. This allows you to obtain new access tokens without browser interaction. Let me know if you need help with any of the steps.
jafjafon
jafjafonOPβ€’2w ago
thanks, this is something i already did but it requires manual interaction and i try to automate the process
Ages
Agesβ€’2w ago
Hi, You're absolutely right β€” the Authorization Code flow with PKCE does require browser interaction. However, there's a workaround that only needs manual interaction once per user. If you include offline in the scope during the initial authentication, you'll receive a refresh token along with the access and ID tokens. Once you have that refresh token, you can automate the process of generating new access tokens for your load tests β€” no further browser interaction required. Here's a helpful doc that walks through how refresh tokens work and how to use them:
πŸ‘‰ Kinde Refresh Tokens Documentation Let me know if you'd like help setting this up or have any questions!
Kinde docs
Refresh tokens
Our developer tools provide everything you need to get started with Kinde.
jafjafon
jafjafonOPβ€’2w ago
Not the ultimate solution but better than nothing 😜. Thanks πŸ™
Ages
Agesβ€’2w ago
Haha fair enough! Appreciate it πŸ™ If there’s anything else you need or any feedback about Kinde, just shout!

Did you find this page helpful?