Help Wizard

Step 1


400 Bad Request - Access Token - PKCE Auth Code Flow

400 Bad Request - Access Token - PKCE Auth Code Flow

I'm currently on Step 2 (Requesting Access Token) of the Auth Code Flow using PKCE, but I am unable to retrieve the access token.
I am receiving a 400 Bad Request when sending my POST request to the endpoint.
Code Snippet

Everything seems correct when I output to the console, but it seems like I'm missing something.
Please help



To make it easier to check my work I will reference the Auth Code Flow documentation here and where that can be found in my code (above).

  • Making a POST request to the /api/token endpoint:
    - options.method = "POST"
  • Request body should contain the parameters in application/x-www-form-urlencoded:
    - headers["Content-Type"] = "application/x-www-form-urlencoded"
    - bodyObject = parameters needed
      searchParams = URLSearchParams object containing parameters and values
      requestBody = bodyObject in x-www-form-urlencoded form
    - request.write(requestBody) = request sending parameters in the body in x-www-form-urlencoded form
  • Request body parameters needed (found in bodyObject):
    - grant_type = "authorization_code"
    - code = codeVal, the code value found in the URL when redirected after Authorization
    - redirect_uri = redirectURI, the same URI sent in Step 1 of Auth Code Flow
    - client_id = environment variable that is expanded at runtime using dotenv library
    - code_verifier = codeVerifier, the code verifier my website created and sent in Step 1 of Auth Code Flow (have confirmed these match)
  • HTTP Headers:
    - headers.Authorization = base64 encoded(<client_id environment variable>:<client_secret environment variable>)
    - headers["Content-Type"] = "application/x-www-form-urlencoded"
5 Replies

same issue. did you figure it out?


I have the same problem when trying to refresh my token.
I'm sending a POST-request to endpoint "" and getting 400 "Invalid request". No error message. I just don't get what the problem is.


"refresh_token": [my refresh token],
"grant_type": "refresh_token",
"client_id": "[my client id]"
"Content-Type": "application/x-www-form-urlencoded"


Are you able to fetch the auth_token the first time around? I have the same issue and keep getting invalid code_verifier when it is exactly the same as generated. Happy to pair program if you’d like, 2 pairs of eyes > one

Did you get a successful auth token the first time around using PKCE?

Any news on this? i kinda have the same issue. Everything was working perfectly fine and out of nowhere i always get TIMEDOUT on 

Suggested posts