The answer of csbrogi is correct.

Just for details this is configuration of ROPC,

Then you can make the request using the client_secret as well.
However, I don't recommend using ROPC in a new project — it's deprecated and tightly coupled to the Identity Provider. The best approach is to use the Authorization Code Grant flow. If it's an external app calling the API, you can also use an offline token.