---
title: Authorization header (HTTP Basic)
description: This is the default authentication method for Advanced Identity Cloud confidential clients.
component: pingoneaic
page_id: pingoneaic:am-oauth2:client-auth-header
canonical_url: https://docs.pingidentity.com/pingoneaic/am-oauth2/client-auth-header.html
keywords: ["Authorization", "Authentication", "OAuth 2.0", "Federation", "HTTP Basic", "Clients"]
page_aliases: ["oauth2-guide:client-auth-header.adoc"]
---

# Authorization header (HTTP Basic)

This is the default authentication method for Advanced Identity Cloud confidential clients.

The OAuth 2.0 client authenticates by sending the credentials in an HTTP Basic authentication (`Authorization`) header.

The value is `client_id:client_secret`, first [URL encoded](https://en.wikipedia.org/wiki/Percent-encoding), then base64 encoded. For example, `myClient:mySecret` encodes to `bXlDbGllbnQlM0FteVNlY3JldA`:

```bash
$ curl \
--request POST \
--header "Authorization: Basic bXlDbGllbnQlM0FteVNlY3JldA" \
...
```

To confirm this authentication method for a confidential OAuth 2.0 client, check the client profile in the Advanced Identity Cloud admin console:

1. Go to Applications > *Name* > Sign On > General Settings > Advanced > Authentication.

2. Verify the Token Endpoint Authentication Method is `client_secret_basic` and save your work.

Make sure all connections to Advanced Identity Cloud use HTTPS to protect the secret.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | URL encode the `client_id` and `client_secret` *before* base64 encoding the `client_id:client_secret` value.For example, a client with ID `example.com` and secret `s=cr%t` has characters you must URL encode in the secret:- The URL-encoded ID remains `example.com`.

- The URL-encoded secret is `s%3Dcr%25t`.

- The credentials are `example.com:s%3Dcr%25t` before base64 encoding.

- The base64-encoded form is `ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==`.

- The final HTTP Basic header is `Authorization: Basic ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==` |