Trying to implement the Authorization Code flow with PKCE for a standalone SPA that needs to pull queue stats without storing client secrets. The frontend generates the code challenge and redirects to the authorize endpoint, which returns the authorization code as expected. The backend then swaps that code for an access token, but the /oauth/token endpoint keeps throwing a 400 Bad Request with the error message invalid_grant. It claims the code_verifier doesn’t match, even though I’m using the exact same raw string for the verification.
Here’s the token request payload I’m sending. The code_challenge_method is set to S256. I’ve double-checked the hashing logic and it matches the spec, so I’m not sure where the mismatch is coming from. Any ideas?
{
"grant_type": "authorization_code",
"code": "AUTH_CODE_VALUE",
"code_verifier": "RAW_CODE_VERIFIER_STRING",
"redirect_uri": "https://my-app.local/callback"
}