---
title: OAuth 2.0 client authentication
description: OAuth 2.0 client applications send their authentication credentials using one of the following mechanisms:
component: pingam
version: 8.1
page_id: pingam:am-oauth2:oauth2-client-auth
canonical_url: https://docs.pingidentity.com/pingam/8.1/am-oauth2/oauth2-client-auth.html
keywords: ["OAuth 2.0", "Endpoints", "Authentication", "REST API"]
page_aliases: ["oauth2-guide:oauth2-client-auth.adoc"]
---

# OAuth 2.0 client authentication

OAuth 2.0 client applications send their authentication credentials using one of the following mechanisms:

* The [Authorization header (HTTP Basic)](client-auth-header.html) (default)

* [Form parameters (HTTP POST)](client-auth-form.html)

* A [JWT profile](client-auth-jwt.html)

* [Mutual TLS](client-auth-mtls.html)

Authentication depends on the Client type defined in the AM admin UI under Realms > *realm name* > Applications > OAuth 2.0 > Clients > *client ID* > Core:

* Confidential clients

  These applications include websites and services that make secure connections to AM.

  They can protect their client secret or JSON Web Token (JWT).

  You configure the authentication method for a confidential client in the AM admin UI under Realms > *realm name* > Applications > OAuth 2.0 > Clients > *client ID* > Advanced as the Token Endpoint Authentication Method.

  When a client authenticates with form parameters, the server can store POST data on the user-agent in an `OAUTH_REQUEST_ATTRIBUTES` cookie. AM uses the cookie to continue the authentication process across redirects. It marks the cookie for deletion on the next successful OAuth 2.0 authorization.

* Public clients

  These are single-page applications and applications running on devices.

  They cannot protect secrets.

  Public clients identify themselves by client ID, but do not fully authenticate.

  Public OIDC clients must specify `none` as their authentication method.