RFC 6749 Section 2.3: OAuth 2.0 Client Authentication


Confidential clients authenticate when making requests to the OAuth authorization server.

The core OAuth 2.0 specification defines the "client password" (e.g. client secret) client authentication type, which defines the client_secret parameter as well as the method of including the client secret in the HTTP Authorization header.

These are most common forms of client authentication.

Note: PKCE is not a form of client authentication, and is not an alternative to client authentication. Applications using client authentication should also use PKCE.

More resources