Encountering a persistent 401 Unauthorized response when attempting to exchange authorization codes for access tokens in a multi-organization AppFoundry deployment. The integration architecture utilizes the standard OAuth 2.0 PKCE flow, handling the initial user consent on the Genesys Cloud platform before redirecting back to our external application server. The callback receives the code parameter successfully, indicating the initial handshake is valid.
The issue arises during the subsequent POST request to https://api.mypurecloud.com/oauth/token. The request payload includes the grant_type=authorization_code, the received code, the redirect_uri, and the client_id. Despite verifying that the client credentials are correctly registered in the AppFoundry portal and that the redirect URI matches the configured value exactly, the response body consistently returns:
{
"error": "invalid_grant",
"error_description": "Authorization code has expired or is invalid."
}
This behavior is intermittent. Approximately 15% of login attempts fail with this error, while the remaining 85% succeed without issue. The failing requests originate from users in the America/Los_Angeles timezone, though latency to the West Coast edge nodes appears nominal. The SDK version in use is genesys-cloud-auth-client v2.4.1.
Has anyone observed similar expiration anomalies with authorization codes in a high-concurrency environment? The documentation suggests a 10-minute validity window for codes, yet these failures occur within seconds of the redirect completion. Considering the scale of our deployment, we suspect a potential race condition or a caching layer issue within the OAuth service rather than a configuration error on our end. Any insights into debugging the token exchange lifecycle or known platform-side throttling behaviors affecting this endpoint would be appreciated.