---
title: Authorization header (HTTP Basic)
description: This is the default authentication method for AM confidential clients.
component: pingam
version: 8.1
page_id: pingam:am-oauth2:client-auth-header
canonical_url: https://docs.pingidentity.com/pingam/8.1/am-oauth2/client-auth-header.html
keywords: ["Authorization", "Authentication", "OAuth 2.0", "Federation", "HTTP Basic", "Clients"]
page_aliases: ["oauth2-guide:client-auth-header.adoc"]
---

# Authorization header (HTTP Basic)

This is the default authentication method for AM confidential clients.

The OAuth 2.0 client authenticates by sending the credentials in an HTTP Basic authentication (`Authorization`) header.

The value is `client_id:client_secret`, first [URL encoded](https://en.wikipedia.org/wiki/Percent-encoding), then base64 encoded. For example, `myClient:mySecret` encodes to `bXlDbGllbnQlM0FteVNlY3JldA`:

```bash
$ curl \
--request POST \
--header "Authorization: Basic bXlDbGllbnQlM0FteVNlY3JldA" \
…​
```

To confirm this authentication method for a confidential OAuth 2.0 client, check the client profile in the AM admin UI:

1. Go to Realms > *realm name* > Applications > OAuth 2.0 > Clients > *client ID* > Advanced.

2. Verify the Token Endpoint Authentication Method is `client_secret_basic` and save your work.

Make sure all connections to AM use HTTPS to protect the secret.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | URL encode the `client_id` and `client_secret` *before* base64 encoding the `client_id:client_secret` value.For example, a client with ID `example.com` and secret `s=cr%t` has characters you must URL encode in the secret:- The URL-encoded ID remains `example.com`.

- The URL-encoded secret is `s%3Dcr%25t`.

- The credentials are `example.com:s%3Dcr%25t` before base64 encoding.

- The base64-encoded form is `ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==`.

- The final HTTP Basic header is `Authorization: Basic ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==` |