Hey everyone,
I’m trying to set up a custom dashboard for our WFM team to pull adherence metrics. Since it’s a single-page app, I need to implement the Authorization Code flow with PKCE to avoid exposing client secrets in the browser.
I’ve got the code generation part working, but the token exchange keeps failing. Here’s the payload I’m sending to https://api.mypurecloud.com/oauth/token:
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=<AUTH_CODE>&redirect_uri=https://myapp.com/callback&client_id=<CLIENT_ID>&code_verifier=<VERIFIER>
The response is a 400 Bad Request:
{
"error": "invalid_grant",
"error_description": "The authorization code has expired or is invalid."
}
I’ve double-checked the code_verifier matches the code_challenge (S256) I sent in the initial auth request. The redirect URI is whitelisted. Is there a specific timeout I’m missing? Or do I need to include the client_secret even though it’s a public client?
Any pointers would be appreciated.