diff --git a/README.md b/README.md
index 83f0e52..0f5703e 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ func main() {
 
 	srv := server.NewDefaultServer(manager)
 	srv.SetAllowGetAccessRequest(true)
+	srv.SetClientInfoHandler(server.ClientFormHandler)
 
 	srv.SetInternalErrorHandler(func(err error) {
 		log.Println("OAuth2 Error:", err.Error())
@@ -75,6 +76,7 @@ func main() {
 
 	http.ListenAndServe(":9096", nil)
 }
+
 ```
 
 ### Build and run
@@ -130,8 +132,8 @@ Copyright (c) 2016 Lyric
 [License-Image]: https://img.shields.io/npm/l/express.svg
 [Build-Status-Url]: https://travis-ci.org/go-oauth2/oauth2
 [Build-Status-Image]: https://travis-ci.org/go-oauth2/oauth2.svg?branch=master
-[Release-Url]: https://github.com/go-oauth2/oauth2/releases/tag/v3.5.0
-[Release-image]: http://img.shields.io/badge/release-v3.5.0-1eb0fc.svg
+[Release-Url]: https://github.com/go-oauth2/oauth2/releases/tag/v3.5.1
+[Release-image]: http://img.shields.io/badge/release-v3.5.1-1eb0fc.svg
 [ReportCard-Url]: https://goreportcard.com/report/gopkg.in/oauth2.v3
 [ReportCard-Image]: https://goreportcard.com/badge/gopkg.in/oauth2.v3
 [GoDoc-Url]: https://godoc.org/gopkg.in/oauth2.v3
diff --git a/doc.go b/doc.go
index 4d69676..b22deab 100644
--- a/doc.go
+++ b/doc.go
@@ -1,4 +1,5 @@
 // OAuth 2.0 server library for the Go programming language
+//
 //     package main
 //     import (
 //         "net/http"
diff --git a/example/client/client.go b/example/client/client.go
index 8aaa1a5..bef2674 100644
--- a/example/client/client.go
+++ b/example/client/client.go
@@ -5,11 +5,13 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strings"
 )
 
 const (
 	redirectURI = "http://localhost:9094/oauth2"
 	serverURI   = "http://localhost:9096"
+	clientID    = "222222"
 )
 
 func main() {
@@ -20,7 +22,7 @@ func main() {
 		}
 		q := u.Query()
 		q.Add("response_type", "code")
-		q.Add("client_id", "222222")
+		q.Add("client_id", clientID)
 		q.Add("scope", "all")
 		q.Add("state", "xyz")
 		q.Add("redirect_uri", url.QueryEscape(redirectURI))
@@ -44,9 +46,15 @@ func main() {
 		uv.Add("code", code)
 		uv.Add("redirect_uri", redirectURI)
 		uv.Add("grant_type", "authorization_code")
-		uv.Add("client_id", "222222")
-		uv.Add("client_secret", "22222222")
-		resp, err := http.PostForm(serverURI+"/token", uv)
+		uv.Add("client_id", clientID)
+		req, err := http.NewRequest(http.MethodPost, serverURI+"/token", strings.NewReader(uv.Encode()))
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.SetBasicAuth(clientID, "22222222")
+		resp, err := http.DefaultClient.Do(req)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
diff --git a/server/server.go b/server/server.go
index b143218..c71ff9d 100644
--- a/server/server.go
+++ b/server/server.go
@@ -26,7 +26,7 @@ func NewServer(cfg *Config, manager oauth2.Manager) *Server {
 		Manager: manager,
 	}
 	// default handler
-	srv.ClientInfoHandler = ClientFormHandler
+	srv.ClientInfoHandler = ClientBasicHandler
 	srv.UserAuthorizationHandler = func(w http.ResponseWriter, r *http.Request) (userID string, err error) {
 		err = errors.ErrAccessDenied
 		return
@@ -292,6 +292,9 @@ func (s *Server) ValidationTokenRequest(r *http.Request) (gt oauth2.GrantType, t
 		if tgr.RedirectURI == "" ||
 			tgr.Code == "" {
 			err = errors.ErrInvalidRequest
+			return
+		} else if cid := r.FormValue("client_id"); cid == "" || cid != clientID {
+			err = errors.ErrInvalidClient
 		}
 	case oauth2.PasswordCredentials:
 		tgr.Scope = r.FormValue("scope")
diff --git a/server/server_config.go b/server/server_config.go
index 30a2406..c7a4e00 100644
--- a/server/server_config.go
+++ b/server/server_config.go
@@ -1,6 +1,8 @@
 package server
 
-import oauth2 "gopkg.in/oauth2.v3"
+import (
+	"gopkg.in/oauth2.v3"
+)
 
 // SetTokenType token type
 func (s *Server) SetTokenType(tokenType string) {
diff --git a/server/server_test.go b/server/server_test.go
index 73f0588..33fc9c2 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -73,7 +73,7 @@ func TestAuthorizeCode(t *testing.T) {
 				WithFormField("code", code).
 				WithFormField("grant_type", "authorization_code").
 				WithFormField("client_id", clientID).
-				WithFormField("client_secret", clientSecret).
+				WithBasicAuth(clientID, clientSecret).
 				Expect().
 				Status(http.StatusOK).
 				JSON().Raw()
@@ -145,11 +145,10 @@ func TestPasswordCredentials(t *testing.T) {
 
 	val := e.POST("/token").
 		WithFormField("grant_type", "password").
-		WithFormField("client_id", clientID).
-		WithFormField("client_secret", clientSecret).
 		WithFormField("username", "admin").
 		WithFormField("password", "123456").
 		WithFormField("scope", "all").
+		WithBasicAuth(clientID, clientSecret).
 		Expect().
 		Status(http.StatusOK).
 		JSON().Raw()
@@ -169,9 +168,8 @@ func TestClientCredentials(t *testing.T) {
 
 	val := e.POST("/token").
 		WithFormField("grant_type", "client_credentials").
-		WithFormField("client_id", clientID).
-		WithFormField("client_secret", clientSecret).
 		WithFormField("scope", "all").
+		WithBasicAuth(clientID, clientSecret).
 		Expect().
 		Status(http.StatusOK).
 		JSON().Raw()
@@ -200,7 +198,7 @@ func TestRefreshing(t *testing.T) {
 				WithFormField("code", code).
 				WithFormField("grant_type", "authorization_code").
 				WithFormField("client_id", clientID).
-				WithFormField("client_secret", clientSecret).
+				WithBasicAuth(clientID, clientSecret).
 				Expect().
 				Status(http.StatusOK).
 				JSON()
@@ -210,10 +208,9 @@ func TestRefreshing(t *testing.T) {
 			refresh := jval.Object().Value("refresh_token").String().Raw()
 			rval := e.POST("/token").
 				WithFormField("grant_type", "refresh_token").
-				WithFormField("client_id", clientID).
-				WithFormField("client_secret", clientSecret).
 				WithFormField("scope", "one").
 				WithFormField("refresh_token", refresh).
+				WithBasicAuth(clientID, clientSecret).
 				Expect().
 				Status(http.StatusOK).
 				JSON().Raw()