We’re seeing a 400 Bad Request when trying to swap the auth code for an access token. The error payload says invalid_grant with the message code_verifier does not match.
We built a simple SPA for the team to view real-time adherence logs without logging into the admin console. We’re generating the code_challenge using SHA-256 and base64url encoding in JavaScript. Here’s the flow:
const challenge = btoa(crypto.getRandomValues(new Uint8Array(32))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
We pass that in the initial GET to /oauth2/authorize. When we hit the POST endpoint /oauth2/token, we send the raw code_verifier string. The error happens immediately.
Is there something specific about how Genesys handles the encoding? We tried btoa directly but got weird chars, so we switched to the clean base64url. The docs say to use S256 but don’t specify the exact JS library quirks.
POST /oauth2/token
grant_type=authorization_code&code=...&client_id=...&code_verifier=...
Any idea why it’s failing the match?