diff --git a/lib/comfycamp_web/controllers/oauth_controller.ex b/lib/comfycamp_web/controllers/oauth_controller.ex
index 9fa4227..e076754 100644
--- a/lib/comfycamp_web/controllers/oauth_controller.ex
+++ b/lib/comfycamp_web/controllers/oauth_controller.ex
@@ -77,12 +77,9 @@ defmodule ComfycampWeb.OauthController do
     end
   end
 
-  def token(conn, %{
-        "code" => code_value,
-        "redirect_uri" => redirect_uri,
-        "client_id" => client_id,
-        "client_secret" => client_secret
-      }) do
+  def token(conn, params = %{"code" => code_value, "redirect_uri" => redirect_uri}) do
+    {:ok, client_id, client_secret} = get_client_info(conn, params)
+
     # Check that code is still valid and redirect uri has not been altered.
     %OIDCCode{redirect_uri: ^redirect_uri} = code = SSO.get_oidc_code!(code_value)
 
@@ -112,6 +109,25 @@ defmodule ComfycampWeb.OauthController do
     render(conn, :openid_discovery)
   end
 
+  @doc """
+  Extract client id and client secret from request parameters or headers.
+  Returns {:ok, "client_id", "client_secret"} on success.
+  """
+  def get_client_info(_conn, %{"client_id" => client_id, "client_secret" => client_secret}) do
+    {:ok, client_id, client_secret}
+  end
+
+  def get_client_info(conn, _params) do
+    with [header] <- Plug.Conn.get_req_header(conn, "authorization"),
+         "Basic " <> b64 <- header,
+         {:ok, keys} <- Base.decode64(b64),
+         [client_id, client_secret] <- String.split(keys, ":") do
+      {:ok, client_id, client_secret}
+    else
+      _ -> {:error, "Invalid Authorization header"}
+    end
+  end
+
   defp build_redirect_uri(redirect_uri, code, state) do
     parsed_uri = URI.parse(redirect_uri)