Auth0 Home Blog Docs

Token Endpoint Authentication Method: HTTP Basic. What is it?



Where is the documentation for using the “Basic” Token Endpoint Authentication Method for non-interactive clients? How does this work? How is it different than using “POST”? What should a request against /oauth/token look like when using “Basic”?


The reference documentation for that mostly goes back into the OAuth 2.0 specification that specifies how client application can perform client authentication based on a client password/secret.

The whole client authentication section (2.3) contains useful information, but you should pay particular attention to 2.3.1:

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server.

The Basic token endpoint authentication method refers to that HTTP Basic authentication approach and the Post token endpoint authentication method refers to the second approach mentioned in the specification:

Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters (…)

In conclusion, with Basic you include client credentials in the HTTP Authorization header and with Post you include those same client credentials in the request body itself.