<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Invalid_Client Error Returned When Requesting OAuth Token(s)
Oct 28, 2025
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

This article addresses invalid_client errors. These errors can occur during an authentication attempt or when requesting a token. Common error messages include:

invalid_client error

{
"errorCode": "invalid_client",
"errorSummary": "Invalid value for 'client_id' parameter."
}

Second invalid_client Error

{
"error": "invalid_client",
"error_description": "The client secret supplied for a confidential client is invalid." 
}

Third invalid_Client error

{
"error": "invalid_client",
"error_description": "Client authentication failed. Either the client or the client credentials are invalid." 
}

Applies To
  • OAuth 2.0
  • OpenID Connect (OIDC)
  • API Authentication
  • Okta Identity Engine (OIE)
  • Classic
Cause

This error typically occurs due to one of the following configuration issues:

  • The client_id or client_secret provided in the request is incorrect or does not match the application's configuration.

  • The client_id and client_secret are not passed correctly in the Authorization Header, or an incorrect client authentication method is used when calling the /token endpoint.

  • The /authorize and /token endpoint requests are being sent to different tenants (e.g., one to domain-123.okta.com and the other to domain-456.okta.com).

  • The client secret has expired or was revoked.

Solution

  • Verify that the client_id and client_secret values used in the request exactly match the credentials listed in the application's configuration.

  • Confirm that the tenant (e.g., https://<tenant>.okta.com) is the same for both the /authorize request and the /token request.

  • Verify that the correct client authentication method is used when calling the /token endpoint. The client_id and client_secret must be passed correctly in the Authorization Header. For more details, see the Client Authentication Methods documentation. NOTE: For the client_secret_basic method, the Authorization header uses the following format:

    Authorization: Basic ${Base64(<client_id>:<client_secret>)}

    To generate this Base64-encoded string from the command line, use the following command:

    echo -n '<client_id>:<client_secret>' | openssl base64

  • If all configurations are correct, the existing secret may be invalid. If this is the case, follow the steps below to generate a new client secret:

    1. In the Admin Console, go to Applications -> Applications.

    2. Select the target application.

    3. Select the General tab.

    4. In the Client Secrets section, click Generate New Secret.

    5. Update the external application or service configuration/code with the newly generated secret.

Recommended content

Still looking for help?
Loading
Invalid_Client Error Returned When Requesting OAuth Token(s)