diff --git a/dev/ory/oathkeeper.yml b/dev/ory/oathkeeper.yml
index 3702490eb3..6cd5fbc5cb 100644
--- a/dev/ory/oathkeeper.yml
+++ b/dev/ory/oathkeeper.yml
@@ -37,6 +37,11 @@ authenticators:
       token_from:
         header: Oauth2-Token
 
+  oauth2_client_credentials:
+    enabled: true
+    config:
+      token_url: http://hydra:4444/oauth2/token
+
   anonymous:
     enabled: true
     config:
diff --git a/dev/ory/oathkeeper_rules.yaml b/dev/ory/oathkeeper_rules.yaml
index 8519e3c675..83eed784b7 100644
--- a/dev/ory/oathkeeper_rules.yaml
+++ b/dev/ory/oathkeeper_rules.yaml
@@ -91,6 +91,13 @@
     url: "<(http|https)>://<.*><[0-9]+>/admin<.*>"
     methods: ["GET", "POST", "OPTIONS"]
   authenticators:
+    # - handler: oauth2_client_credentials
+    #   config:
+    #     token_url: http://hydra:4444/oauth2/token
+    #     required_scope:
+    #       - admin
+    #       - editor
+
     - handler: cookie_session
       config:
         check_session_url: http://kratos:4433/sessions/whoami
diff --git a/docs/hydra.md b/docs/hydra.md
index 34d0e584c4..2bfa13eeb1 100644
--- a/docs/hydra.md
+++ b/docs/hydra.md
@@ -90,4 +90,34 @@ curl -I -X POST http://localhost:4456/decisions/graphql -H "Oauth2-Token: $ory_a
 curl --location 'http://localhost:4002/graphql' \
 --header 'Content-Type: application/json' \
 --header "Oauth2-Token: $ory_at_TOKEN" \
---data '{"query":"query me {\n    me {\n        id\n        defaultAccount {\n            id\n        }\n    }\n}","variables":{}}'
\ No newline at end of file
+--data '{"query":"query me {\n    me {\n        id\n        defaultAccount {\n            id\n        }\n    }\n}","variables":{}}'
+
+
+## client_credentials
+
+#### create client
+
+```
+client=$(hydra create client \
+    --endpoint http://127.0.0.1:4445/ \
+    --format json \
+    --grant-type client_credentials \
+    --scope editor \
+    --scope admin)
+client_id=$(echo $client | jq -r '.client_id')
+client_secret=$(echo $client | jq -r '.client_secret')
+```
+
+#### get token for client ( not needed )
+
+```
+hydra perform client-credentials \
+  --endpoint http://127.0.0.1:4444/ \
+  --client-id $client_id \
+  --client-secret $client_secret \
+  --scope editor \
+  --scope admin
+```
+
+// is not returning the scope in the jwt
+curl -s -I -X POST http://localhost:4456/decisions/graphql --user $client_id:$client_secret