A service client is a specialized OA4MP client that complies with either § 2.1 of RFC 7523 or with §4.4 of the OAuth specification. This means that it is allowed to directly issue a token request without authentication. However, this implies a trust relationship and requires vetting.
As computing switches to token-based trust models and leaves behind X.509 certificates, services still need to be able to identify themselves and there need to be trust relationships in effect. Before, a server would have an X.509 certificate to prove who or what it was, and now it needs a signed token. Requiring a service (and its human administrator) to go through an OAuth flow every time, say, a server restarts, is an intolerable burden on a system. Therefore, the trust is agreed upon separately with a service client. Typically, a service client has a single (robot) user and hence restricts which users can be recognized. The service then issues token requests directly.
Public/private keys must be generated and all authentication is key-based. Once all is in place, the service simply issues a grant request (which is in JSON and also signed with the private key) to the token endpoint, signed with its keys, and gets tokens back. Read the RFC 7523 documentation for more
To authenticate, (as per §2.3 of the specification)
[t]he authorization server MAY accept any form of client authentication meeting its security requirements.
Hence you may use public/private keys with the client credentials flow too if your client has them. OA4MP will issue tokens based on the request. Read the client credentials flow documentation for more