@MichaelC16831869  not with the out-of-the-box Authentication Profile. In Pega, the keystore and truststore handle TLS and mutual TLS at the socket level, but they do not replace OAuth client authentication, so client_credentials requires a client_secret in the profile. You can choose to send the secret in the Authorization header (Basic) instead of the request body, but the secret still goes over the wire. If your authorization server supports mutual TLS client authentication without a secret, build a custom token call: create a REST connector to the token endpoint using your keystore and truststore, post the required form fields, cache the access token on a data page, and add it as a Bearer token on your business calls. If your server supports private_key_jwt client authentication and your Pega version does not expose it in the Authentication Profile, do the same custom pattern but generate the signed JWT from your keystore before the token call. You cannot delete or bypass the client_secret field in the profile when grant type is client_credentials. For governance, keep certificate rotation in a dedicated keystore record and add short token TTL with refresh logic on failure. If you must keep everything “profile based,” log an enhancement request with Pega to add mTLS or JWT-based client authentication to client_credentials.