Hitting a 400 Bad Request when exchanging the authorization code for an access token in our SPA implementation. The error payload is clear: invalid_grant: Code challenge mismatch.
We are following the Authorization Code flow with PKCE as recommended for single-page applications. The initial auth request hits https://login.mypurecloud.com/oauth/authorize successfully. We generate the code_challenge using SHA-256 and base64url encoding, passing it in the redirect.
The issue seems to lie in the subsequent POST to /oauth/token. Here is the payload we are sending:
{
"grant_type": "authorization_code",
"code": "AUTH_CODE_FROM_REDIRECT",
"redirect_uri": "https://our-app.local/callback",
"client_id": "OUR_CLIENT_ID",
"code_verifier": "PLAIN_TEXT_VERIFIER"
}
The code_verifier is the raw random string before hashing. I’ve double-checked the encoding logic in the frontend. It uses btoa for the challenge, but I suspect the backend or the way we pass the verifier might be introducing whitespace or encoding issues. Has anyone seen this specific mismatch with the Genesys Cloud endpoint? The docs are a bit sparse on exact encoding edge cases for PKCE.