Authenticating Clients Using Authorization Headers

Clients that have a client secret can send the client ID and the secret in a basic authorization header with the base64-encoded value of client_id:client_secret. For example:

$ curl \
--header "Authorization: Basic bXlDbGllbnQ6Zm9yZ2Vyb2Nr" \
--request POST \


If the client ID or client secret contains characters that have special meaning in URL-encoded strings, such as percent (%) or plus (+) characters, you must first URL-encode the string before combining them with the colon character and base64-encoding the result. URL-encoding characters that do not have special meaning in URL-encoded strings will still work, but is unnecessary.

For example, for a client named with a client secret of s=cr%t:

  1. URL-encode the client secret value and combine with the colon character. For example:

    Note that you should not URL-encode the separating colon character.

  2. Base64-encode the entire string to obtain the basic authorization header. For example, ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==

Ensure that communication with the authorization server happens over a secure protocol to help protect the credentials.


OpenID Connect clients must also specify the authentication method they are using in their client profiles. See OpenID Connect Client Authentication.

Read a different version of :