I’m wiring up a single-page app to trigger OpenTelemetry traces for Data Action calls, and I need to grab an access token without a backend. The docs say to use Authorization Code with PKCE, so I’m generating a code_verifier and code_challenge (S256) in the browser before hitting the authorize endpoint. I’m using the standard crypto.subtle API to hash the verifier. The redirect comes back with a valid code, but when I POST to /oauth/token to swap it for a token, Genesys Cloud throws a 400 Bad Request. The error payload says invalid_grant with the message “Code verifier mismatch.” I’ve double-checked that I’m sending the exact same code_verifier string in the body as I used to generate the challenge, encoded as application/x-www-form-urlencoded.
Check your base64 encoding. You need URL-safe base64, not standard. Replace + with - and / with _, then strip trailing =. The token endpoint rejects the challenge if it doesn’t match that exact format.
btoa(String.fromCharCode(...hash)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')