Help Wizard

Step 1



Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...


Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...


400 Bad Request - Access Token - PKCE Auth Code Flow

400 Bad Request - Access Token - PKCE Auth Code Flow

I'm currently on Step 2 (Requesting Access Token) of the Auth Code Flow using PKCE, but I am unable to retrieve the access token.
I am receiving a 400 Bad Request when sending my POST request to the endpoint.
Code Snippet

Everything seems correct when I output to the console, but it seems like I'm missing something.
Please help



To make it easier to check my work I will reference the Auth Code Flow documentation here and where that can be found in my code (above).

  • Making a POST request to the /api/token endpoint:
    - options.method = "POST"
  • Request body should contain the parameters in application/x-www-form-urlencoded:
    - headers["Content-Type"] = "application/x-www-form-urlencoded"
    - bodyObject = parameters needed
      searchParams = URLSearchParams object containing parameters and values
      requestBody = bodyObject in x-www-form-urlencoded form
    - request.write(requestBody) = request sending parameters in the body in x-www-form-urlencoded form
  • Request body parameters needed (found in bodyObject):
    - grant_type = "authorization_code"
    - code = codeVal, the code value found in the URL when redirected after Authorization
    - redirect_uri = redirectURI, the same URI sent in Step 1 of Auth Code Flow
    - client_id = environment variable that is expanded at runtime using dotenv library
    - code_verifier = codeVerifier, the code verifier my website created and sent in Step 1 of Auth Code Flow (have confirmed these match)
  • HTTP Headers:
    - headers.Authorization = base64 encoded(<client_id environment variable>:<client_secret environment variable>)
    - headers["Content-Type"] = "application/x-www-form-urlencoded"
2 Replies

same issue. did you figure it out?


I have the same problem when trying to refresh my token.
I'm sending a POST-request to endpoint "" and getting 400 "Invalid request". No error message. I just don't get what the problem is.


"refresh_token": [my refresh token],
"grant_type": "refresh_token",
"client_id": "[my client id]"
"Content-Type": "application/x-www-form-urlencoded"


Suggested posts