Authenticate clients with authorization headers
Clients that have a client secret can send the client ID and the secret in a basic authorization header
with the base64-encoded value of
$ curl \ --header "Authorization: Basic bXlDbGllbnQ6Zm9yZ2Vyb2Nr" \ --request POST \ …
If the client ID or client secret contains characters that have special meaning in URL-encoded strings, such as percent (%) or plus (+) characters, you must first URL-encode the string before combining them with the colon character and base64-encoding the result. URL-encoding characters that do not have special meaning in URL-encoded strings will still work, but is unnecessary.
For example, for a client named
Ensure that communication with the authorization server happens over a secure protocol to help protect the credentials.
OpenID Connect clients must also specify the authentication method they are using in their client profiles. See OpenID Connect client authentication.