Spotify Community

I'm developing a Python application using the Spotipy library and attempting to implement the Authorization Code Flow to gain API access. I'm consistently running into an invalid_grant error during the token exchange step, and I've exhausted almost all conceivable troubleshooting steps. I'm hoping someone here might have encountered a similar issue or can offer insights.

The Core Problem: After a user successfully authorizes my application on Spotify, I'm redirected back to my redirect_uri with an authorization code. However, when I try to exchange this authorization code for an access_token and refresh_token using sp_oauth.get_access_token(), the Spotify API consistently returns: error: invalid_grant, error_description: Invalid authorization code

Troubleshooting Steps Taken (and What They've Ruled Out): I've performed extensive debugging to pinpoint the cause, ruling out most common issues:

Local HTTP Redirect URI (http://127.0.0.1:5555/callback😞 Initially tried this for local development. Result: Spotify started rejecting these as "insecure" or browsers blocked the redirect. Ruled out: Insecure URI blocking.

Ngrok Tunneling for Local HTTPS: Used Ngrok to create a public HTTPS tunnel to my local redirect_uri. Result: Spotify successfully redirected to the Ngrok URL with the code, but the invalid_grant error persisted when trying to exchange the token. Ruled out: Local network/firewall issues, basic HTTPS connectivity.

Dedicated HTTPS Server Environment (Repl.it with Flask): To completely rule out local environment issues, I set up a Python Flask web server on Repl.it. The redirect_uri in my Spotify Dashboard was configured to the public HTTPS URL of my Repl.it instance (e.g., https://my-repl-name.username.repl.co/callback). Crucial Result: Spotify successfully redirected to the Repl.it HTTPS URL with the authorization code. The Flask server on Repl.it successfully captured this code (confirmed by server logs showing GET /callback?code=... HTTP/1.1" 200 -). However, when the Repl.it server immediately attempted to exchange this captured code for a token, the invalid_grant error still occurred. Ruled out: Issues with redirect_uri configuration, code capture, timing of the exchange, or local environment factors. This confirmed the code is being received but rejected by Spotify.

Testing with Multiple Spotify Accounts and Brand New Applications: I've performed all the above tests using:My original Spotify Developer account and application (including resetting the Client Secret). A completely different Spotify Developer account with a brand new application (new Client ID and Client Secret). Result: The invalid_grant error persisted across all these different account and application combinations. Ruled out: Problems specific to my primary account, specific application settings, or compromised Client ID/Secret.

Summary & Question for the Community: Given the extensive troubleshooting, it seems the problem is not with my code, my local setup, or the redirect mechanism. The authorization code is successfully delivered, but Spotify consistently rejects it during the token exchange with invalid_grant. Has anyone else encountered this persistent invalid_grant error under such conditions, especially when using cloud development environments like Repl.it? Are there any known issues, undocumented restrictions for certain IP ranges/environments, or specific server-side diagnostics I should be aware of or request from Spotify support? Any insights or suggestions would be greatly appreciated as I'm currently stuck at this crucial step. Thank you!