Currently, Port's /v1/auth/access_token API requires clientId and clientSecret to be passed in the POST request body. This creates challenges for security-conscious implementations where:

Secret masking: Many logging and monitoring systems can mask header values but not POST body content, leading to potential credential exposure in logs

OAuth2 standard compliance: The OAuth 2.0 specification (RFC 6749) supports sending client credentials via the Authorization header using Basic authentication

Automation workflows: Users building automation flows need to handle credentials securely without introducing additional infrastructure like cloud functions

Proposed Solution

Add support for passing client credentials via the Authorization header using HTTP Basic Authentication, in addition to the existing POST body method.

Example implementation:

curl --location --request POST 'https://api.getport.io/v1/auth/access_token' \

--header 'Authorization: Basic <base64_encoded_clientId:clientSecret>' \

--header 'Content-Type: application/json'

This would be in addition to (not replacing) the current method, ensuring backward compatibility.

Benefits

Enhanced security: Enables credential masking in logs and monitoring systems

Standards compliance: Aligns with OAuth 2.0 best practices

Simplified automation: Reduces the need for intermediate services to handle authentication

Flexibility: Provides users with multiple authentication methods based on their security requirements