---
title: ClientSecretBasicAuthenticationFilter
description: Supports client authentication with the method client_secret_basic. Clients that have received a client_secret value from the Authorization Server authenticate through the HTTP basic access authentication scheme, as in the following example:
component: pinggateway
version: 2026
page_id: pinggateway:reference:ClientSecretBasicAuthenticationFilter
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/ClientSecretBasicAuthenticationFilter.html
revdate: 2024-07-10T14:05:34Z
section_ids:
  ClientSecretBasicAuthenticationFilter-usage: Usage
  ClientSecretBasicAuthenticationFilter-conf: Configuration
  ClientSecretBasicAuthenticationFilter-example: Example
---

# ClientSecretBasicAuthenticationFilter

Supports client authentication with the method `client_secret_basic`. Clients that have received a `client_secret` value from the Authorization Server authenticate through the HTTP basic access authentication scheme, as in the following example:

```http
POST /oauth2/token HTTP/1.1
Host: as.example.com
Authorization: Basic ....
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=...
```

Use this filter with an endpoint `Handler` that requires `client_secret_basic` authentication. For example, `endpointHandler` in the [OAuth2TokenExchangeFilter](OAuth2TokenExchangeFilter.html) or [ClientCredentialsOAuth2ClientFilter](ClientCredentialsOAuth2ClientFilter.html).

## Usage

```json
{
  "name": string,
  "type": "ClientSecretBasicAuthenticationFilter",
  "config": {
    "clientId": configuration expression<string>,
    "clientSecretId": configuration expression<secret-id>,
    "secretsProvider": SecretsProvider reference
  }
}
```

## Configuration

* `"clientId"`: *configuration expression<[string](preface.html#definition-string)>, required*

  The OAuth 2.0 client ID to use for authentication.

* `"clientSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required*

  The OAuth 2.0 client secret to use for authentication.

  This secret ID must point to a [GenericSecret](../security-guide/keys.html#secret-types).

* `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required*

  The [SecretsProvider](SecretsProvider.html) to query for passwords and cryptographic keys.

## Example

```json
{
  "name": "ExchangeHandler",
  "type": "Chain",
  "config": {
    "handler": "ForgeRockClientHandler",
    "filters": [
      {
        "type": "ClientSecretBasicAuthenticationFilter",
        "config": {
          "clientId": "serviceConfidentialClient",
          "clientSecretId": "client.secret.id",
          "secretsProvider" : "SystemAndEnvSecretStore-1"
        }
      }
    ]
  }
}
```