I’m building a simple React app that needs to authenticate against Genesys Cloud. I’m trying to implement the Authorization Code flow with PKCE since we’re running a single-page app. The initial redirect to /oauth/authorize works fine, and I get the code and state back in the URL.
The problem happens when I try to swap that code for an access token. I’m hitting https://api.mypurecloud.com/oauth/token with a POST request. Here is the body I’m sending:
grant_type=authorization_code
&code=AUTH_CODE_FROM_REDIRECT
&redirect_uri=http://localhost:3000/callback
&client_id=MY_CLIENT_ID
&code_verifier=MY_GENERATED_VERIFIER
I’m getting a 400 Bad Request back. The response JSON says invalid_grant. I’ve double-checked that the code_verifier matches the code_challenge I sent in the first step (using SHA-256 and base64url encoding). The redirect URI matches exactly what’s in the developer console.
Am I missing a header? I’m sending Content-Type: application/x-www-form-urlencoded. It feels like it should be working. Can someone spot what’s wrong with this request?