I’m building a single-page app that needs to authenticate against CXone using the Authorization Code flow with PKCE. The initial step works fine. I hit the authorize endpoint, get the code, and capture the state. But when I swap that code for an access token, the server rejects the request with a 400 bad_request. The error message says invalid_grant and specifically complains about the code_verifier.
I’ve checked the code generation logic. It uses a cryptographically secure random string, URL-safe base64 encoded. The challenge is SHA256 hashed and encoded. Here is the payload I’m sending to the token endpoint:
{
"grant_type": "authorization_code",
"code": "4/C25hbGs...",
"redirect_uri": "http://localhost:3000/callback",
"client_id": "my-client-id",
"code_verifier": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
}
The verifier matches what I sent in the challenge. I’ve tried removing the URL-safe padding characters just in case, but it still fails. The REST Proxy doesn’t help here since this is client-side JS. Is there a specific encoding requirement for the verifier in CXone that differs from the standard spec?