RFC 6749 Section 2.3: OAuth 2.0 Client Authentication


Confidential clients authenticate when making requests to the OAuth authorization server.

The core OAuth 2.0 specification defines the "client password" client authentication type, which defines the client_secret parameter as well as the method of including the client password in the HTTP Authorization header.

There are additional forms of client authentication defined in extensions.

Note: PKCE is not a form of client authentication, and is not an alternative to client authentication. Applications using client authentication should also use PKCE.

More resources