diff --git a/packages/better-auth/src/oauth2/refresh-access-token.ts b/packages/better-auth/src/oauth2/refresh-access-token.ts
index f1cde691a9..cfce3de5da 100644
--- a/packages/better-auth/src/oauth2/refresh-access-token.ts
+++ b/packages/better-auth/src/oauth2/refresh-access-token.ts
@@ -1,6 +1,7 @@
 import { betterFetch } from "@better-fetch/fetch";
 import type { OAuth2Tokens } from "./types";
 import type { ProviderOptions } from "./types";
+import { encodeOAuthParameter } from "./utils";
 
 export async function refreshAccessToken({
 	refreshToken,
@@ -27,7 +28,9 @@ export async function refreshAccessToken({
 	body.set("refresh_token", refreshToken);
 	if (authentication === "basic") {
 		const encodedCredentials = btoa(
-			`${options.clientId}:${options.clientSecret}`,
+			`${encodeOAuthParameter(options.clientId)}:${encodeOAuthParameter(
+				options.clientSecret,
+			)}`,
 		);
 		headers["authorization"] = `Basic ${encodedCredentials}`;
 	} else {
diff --git a/packages/better-auth/src/oauth2/utils.ts b/packages/better-auth/src/oauth2/utils.ts
index 061b4be536..237580d0ec 100644
--- a/packages/better-auth/src/oauth2/utils.ts
+++ b/packages/better-auth/src/oauth2/utils.ts
@@ -26,3 +26,6 @@ export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
 		idToken: data.id_token,
 	};
 }
+
+export const encodeOAuthParameter = (value: string) =>
+	encodeURIComponent(value).replace(/%20/g, "+");
diff --git a/packages/better-auth/src/oauth2/validate-authorization-code.ts b/packages/better-auth/src/oauth2/validate-authorization-code.ts
index 886a0093a0..6069900312 100644
--- a/packages/better-auth/src/oauth2/validate-authorization-code.ts
+++ b/packages/better-auth/src/oauth2/validate-authorization-code.ts
@@ -2,6 +2,7 @@ import { betterFetch } from "@better-fetch/fetch";
 import type { ProviderOptions } from "./types";
 import { getOAuth2Tokens } from "./utils";
 import { jwtVerify } from "jose";
+import { encodeOAuthParameter } from "./utils";
 
 export async function validateAuthorizationCode({
 	code,
@@ -34,7 +35,9 @@ export async function validateAuthorizationCode({
 	body.set("redirect_uri", options.redirectURI || redirectURI);
 	if (authentication === "basic") {
 		const encodedCredentials = btoa(
-			`${options.clientId}:${options.clientSecret}`,
+			`${encodeOAuthParameter(options.clientId)}:${encodeOAuthParameter(
+				options.clientSecret,
+			)}`,
 		);
 		headers["authorization"] = `Basic ${encodedCredentials}`;
 	} else {