...
In the second step the client exchanges the authorization code with an access token server-to-server without involving the user's browser, and it requires client credentials as Basic auth.
The client's server makes a POST request to the token endpoint with the following parameters included ("application/x-www-form-urlencoded" format):
...