<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Error "invalid_client: Client authentication failed" when Calling the /token Endpoint
Mar 16, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

When attempting to acquire an access token by making a POST request to the Okta /oauth2/v1/token endpoint (or a custom authorization server's token endpoint), the request fails. The following error message is returned:

 

invalid_client: error_description: "Client authentication failed. Either the client or the client credentials are invalid"

 

Applies To
  • OAuth 2.0 / OpenID Connect (OIDC)
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
Cause

This error indicates that the credentials sent to authenticate the client application itself are incorrect, improperly formatted, or do not match the method configured for the application in Okta. Client credentials are the combination of client_id and client authentication (for example, client_secret or client assertion token).

Common causes include:

  • The client_id and client_secret are not correctly formatted in the Authorization header (for example, not properly Basic Auth encoded).

  • The client authentication method being used in the request (for example, client_secret_basic, client_secret_post) does not match the Client authentication setting configured for the application in the Okta Admin Console.

Solution

To resolve this issue, verify the application's credentials and client authentication method to ensure they match the information being sent in the API request.

  1. Log in to the Okta Admin Console.
  2. Navigate to Applications > Applications and select the OIDC/OAuth2 application that is experiencing the issue.
  3. In the General tab, scroll down to the Client Credentials section.
  4. Locate the Client authentication setting and note which method is selected (for example, "Public key / Private key").
  5. Ensure the API request to the /token endpoint is formatted correctly based on the configured authentication method:
    • For Client Secret: By default, this will require the Authorization header set to Basic followed by a base64-encoded string of client_id:client_secret
      • NOTE: If the application was created via the Management API, Client Secret could instead require params in the body, or an assertion token instead of a secret. Please refer to the developer docs at the bottom of this article for more info.
    • For Public key / Private key: The client authentication must be provided as a client assertion token. 

Related References

Recommended content

Still looking for help?
Loading
Okta Error "invalid_client: Client authentication failed" when Calling the /token Endpoint