Hey folks,
Trying to get the Authorization Code flow with PKCE working for a custom SPA. I’m generating the code_verifier and code_challenge locally, but hitting a 400 Bad Request at the token exchange step. The error says invalid_grant. I’ve double-checked the SHA256 hashing logic in my JS client, and the base64url encoding looks correct. Here’s the payload I’m sending to /oauth/token:
{
"grant_type": "authorization_code",
"code": "AUTH_CODE_FROM_REDIRECT",
"redirect_uri": "https://myapp.local/callback",
"code_verifier": "MY_RAW_CODE_VERIFIER"
}
Am I missing a step in the verifier generation?