Yes
Both Client-ID and Authorization should be provided*
Client-ID
Authorization
*Except for the validation endpoint