diff --git a/content/docs/connectors/local.md b/content/docs/connectors/local.md
index 5db1c52..0145d03 100644
--- a/content/docs/connectors/local.md
+++ b/content/docs/connectors/local.md
@@ -82,25 +82,33 @@ oauth2:
 
 Depending on whether you use a public or a private client you need to either include the just `clientId` or the `clientId` and `clientPassword` in the authorization header.
 
-**Public Client**
+**Private Client**
+
+For private clients, the `Authorization` header must contain `<id>:<secret>` (with no trailing return). In this example,
+the authorization header can be generated by running the command `echo -n "private-client:app-secret" | base64`
+
 ```shell
 curl -L -X POST 'http://localhost:8080/dex/token' \
--H 'Authorization: Basic cHVibGljLWNsaWVudAo=' \ # base64 encoded: public-client
+-H 'Authorization: Basic cHJpdmF0ZS1jbGllbnQ6YXBwLXNlY3JldA==' \ # base64 encoded: private-client:app-secret
 -H 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'grant_type=password' \
---data-urlencode 'scope=openid profile' \
+--data-urlencode 'scope=openid' \
 --data-urlencode 'username=admin@example.com' \
 --data-urlencode 'password=admin'
 ```
 
+**Public Client**
+
+For public clients, no secret is included in the `Authorization` header, only the client id and the colon. In this example,
+the command `echo -n "public-client:" | base64` generates shown authorization header.
 
-**Private Client**
 ```shell
 curl -L -X POST 'http://localhost:8080/dex/token' \
--H 'Authorization: Basic cHJpdmF0ZS1jbGllbnQ6YXBwLXNlY3JldAo=' \ # base64 encoded: private-client:app-secret
+-H 'Authorization: Basic cHVibGljLWNsaWVudDo=' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'grant_type=password' \
---data-urlencode 'scope=openid' \
+--data-urlencode 'scope=openid profile' \
 --data-urlencode 'username=admin@example.com' \
 --data-urlencode 'password=admin'
 ```
+