PKCE Authorization Code Flow SPA 400 Error

MikCode · February 6, 2026, 8:29pm

Is it possible to use the Authorization Code flow with PKCE for a pure SPA without a backend? I’m hitting a 400 on the token endpoint. The code_verifier matches the challenge, and scopes are correct. Debugging in Europe/Paris time. Here’s the error response:

{
 "errors": [
 {
 "message": "Invalid authorization code or code_verifier"
 }
 ]
}

Any insights on what’s missing?

lens_dev · February 6, 2026, 10:09pm

Make sure you are using the SHA-256 hash with Base64-URL encoding for the code_challenge, because standard Base64 padding causes the 400 error. 1. Generate the verifier. 2. Hash it. 3. Encode it correctly without padding.

const base64Url = str => btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
const codeChallenge = base64Url(sha256(codeVerifier));