diff --git a/.tc-environment b/.tc-environment
index 665a2123..063792cd 100644
--- a/.tc-environment
+++ b/.tc-environment
@@ -5,5 +5,9 @@ export HSADMINNG_POSTGRES_ADMIN_USERNAME=admin
 export HSADMINNG_SUPERUSER=import-superuser@hostsharing.net
 export HSADMINNG_OFFICE_DATA_SQL_FILE
 export HSADMINNG_JWT_TOKEN_URL=http://localhost:8080/fake-jwt/token
+export HSADMINNG_JWT_CLIENT_ID=hsscript.ng
+export HSADMINNG_JWT_CLIENT_SECRET=
+export HSADMINNG_JWT_USERNAME=superuser-alex@hostsharing.net
+export HSADMINNG_JWT_PASSWORD=password
 
 export LANG=en_US.UTF-8
diff --git a/.unset-environment b/.unset-environment
index 4fc29b63..aec5ceb3 100644
--- a/.unset-environment
+++ b/.unset-environment
@@ -8,7 +8,8 @@ unset HSADMINNG_OFFICE_DATA_SQL_FILE
 
 unset HSADMINNG_JWT_ISSUER
 unset HSADMINNG_JWT_JWKS_URL
+unset HSADMINNG_JWT_TOKEN_URL
+unset HSADMINNG_JWT_CLIENT_ID
+unset HSADMINNG_JWT_CLIENT_SECRET
 unset HSADMINNG_JWT_USERNAME
 unset HSADMINNG_JWT_PASSWORD
-unset HSADMINNG_JWT_TOKEN_URL
-
diff --git a/bin/jwt-curl b/bin/jwt-curl
index 3caf5993..86f268a0 100755
--- a/bin/jwt-curl
+++ b/bin/jwt-curl
@@ -102,12 +102,12 @@ function jwtLogin() {
   # OAuth2 Resource Owner Password Credentials Grant (public client)
   trace "+ curl --fail-with-body --show-error -X POST \
         -H 'Content-Type: application/x-www-form-urlencoded' \
-        -d \"grant_type=password&username=$HSADMINNG_JWT_USERNAME&password=$HSADMINNG_JWT_PASSWORD_DISPLAY\" \
+        -d \"grant_type=password&client_id=$HSADMINNG_JWT_CLIENT_ID&client_secret=$HSADMINNG_JWT_CLIENT_SECRET&username=$HSADMINNG_JWT_USERNAME&password=$HSADMINNG_JWT_PASSWORD_DISPLAY\" \
         $HSADMINNG_JWT_TOKEN_URL -o ~/.jwt-token.response"
 
   JWT_RESPONSE=$(curl --fail-with-body --show-error -X POST \
     -H 'Content-Type: application/x-www-form-urlencoded' \
-    -d "grant_type=password&username=$HSADMINNG_JWT_USERNAME&password=$HSADMINNG_JWT_PASSWORD" \
+    -d "grant_type=password&client_id=$HSADMINNG_JWT_CLIENT_ID&client_secret=$HSADMINNG_JWT_CLIENT_SECRET&username=$HSADMINNG_JWT_USERNAME&password=$HSADMINNG_JWT_PASSWORD_DISPLAY" \
     $HSADMINNG_JWT_TOKEN_URL 2>&1 | tee ~/.jwt-token.response)
 
   # Extract access token from JSON response
@@ -198,6 +198,8 @@ case "${1,,}" in
   "env") ## prints all related HSADMINNG_JWT_... environment variables; use '--show-password' to show the password as well
   #       example: jwt-curl  -show-password env
     echo "export HSADMINNG_JWT_TOKEN_URL=$HSADMINNG_JWT_TOKEN_URL"
+    echo "export HSADMINNG_JWT_CLIENT_ID=$HSADMINNG_JWT_CLIENT_ID"
+    echo "export HSADMINNG_JWT_CLIENT_SECRET=$HSADMINNG_JWT_CLIENT_SECRET"
     echo "export HSADMINNG_JWT_USERNAME=$HSADMINNG_JWT_USERNAME"
     if [ "$HSADMINNG_JWT_SHOW_PASSWORD" == "yes" ]; then
       echo "export HSADMINNG_JWT_PASSWORD=$HSADMINNG_JWT_PASSWORD"