The POST request to the Token URL requires the client_id and client_secret of your app:
- either as body parameters,
- or within the Authorization Header, with Basic Authentication as such: Authorization: Basic <base64 encoded string client_id:client_secret>
For further details, please read the chapter "Authorization (OAuth)" in "Getting Started", here.