We’re building a SPA frontend that needs to interact with the Genesys Cloud Platform API. The goal is to implement the Authorization Code flow with PKCE to avoid storing client secrets in the browser.
The redirect to /oauth/authorize works fine. We get the code back in the URL fragment. The issue happens when we try to swap that code for an access token.
Here is the payload we’re sending to POST /oauth/token:
{
"grant_type": "authorization_code",
"code": "AUTH_CODE_FROM_REDIRECT",
"redirect_uri": "https://our-app.com/callback",
"client_id": "OUR_CLIENT_ID",
"code_verifier": "GENERATED_VERIFIER"
}
The response is a 400 Bad Request. The error body says invalid_grant.
We’ve double-checked that the code_verifier matches the SHA256 hash used in the code_challenge during the initial auth request. The redirect URI matches exactly. The client ID is correct.
Is there a specific format required for the code_verifier in the Genesys Cloud implementation? Or maybe the token endpoint expects basic auth headers instead of the client_id in the body? We tried adding Authorization: Basic base64(client_id:secret) but that throws a different error about missing scope.
Any examples of a working cURL command for this specific flow would help.