Thank you! There's a concept called "public clients" when the client_id and client_secret will be public (ex: SPA web apps, mobile apps), there's no added advantage in having a client_secret. Therefore, we create public clients which only has a client_id.

If you created a non-public client, you should send the "cilent_secret" as a parameter in these requests.