---
editLink: false
lastUpdated: false
---

[@salesforce/b2c-tooling-sdk](../../modules.md) / [auth](../index.md) / encodeBasicClientCredentials

# Function: encodeBasicClientCredentials()

> **encodeBasicClientCredentials**(`clientId`, `clientSecret`): `string`

Defined in: [packages/b2c-tooling-sdk/src/auth/client-credentials.ts:58](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/client-credentials.ts#L58)

Builds the base64 payload for an `Authorization: Basic` header carrying OAuth
client credentials, per RFC 6749 §2.3.1.

The client identifier and client password are each form-url-encoded (RFC 6749
Appendix B) *before* being joined with a colon and Base64-encoded (RFC 7617
§2, the HTTP Basic scheme). Skipping the per-component encoding corrupts any
credential containing characters the server form-url-decodes: a raw `+` is
read as a space and a valid `%xx` escape is decoded to another byte (both
yield `invalid_client` -- a wrong-but-valid secret), while an invalid escape
such as `%zz` makes a strict decoder error out (`unauthorized_client` /
"Unexpected error when authenticating client"). The same credential succeeds
when sent in the request body, which is form-url-encoded by construction --
the "body works, Basic fails" symptom.

## Parameters

### clientId

`string`

The OAuth client identifier

### clientSecret

`string`

The OAuth client password/secret

## Returns

`string`

The Base64 string to place after `Basic ` in the `Authorization` header

## See

 - https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
 - https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
