Authenticating Clients Using Authorization Headers

Clients that have a client secret can send the client ID and the secret in a basic authorization header with the base64-encoded value of client_id:client_secret. For example:

$ curl \
--header "Authorization: Basic bXlDbGllbnQ6Zm9yZ2Vyb2Nr" \
--request POST \
…​

If the client ID or client secret contains characters that have special meaning in URL-encoded strings, such as percent (%) or plus (+) characters, you must first URL-encode the string before combining them with the colon character and base64-encoding the result. URL-encoding characters that do not have special meaning in URL-encoded strings will still work, but is unnecessary.

For example, for a client named example.com with a client secret of s=cr%t:

  1. URL-encode the client secret value and combine with the colon character.

    For example: example.com:s%3Dcr%25t.

    Note that you should not URL-encode the separating colon character.

  2. Base64-encode the entire string to obtain the basic authorization header.

    For example, ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==.

Ensure that communication with the authorization server happens over a secure protocol to help protect the credentials.

OpenID Connect clients must also specify the authentication method they are using in their client profiles. See OpenID Connect Client Authentication.