Setting up a SPA with Auth Code flow and PKCE. The authorization redirect works, but the token exchange fails with a 400 Bad Request.
POST /oauth/token
{
"grant_type": "authorization_code",
"client_id": "my-client-id",
"code": "auth-code-from-redirect",
"redirect_uri": "https://myapp.local/callback",
"code_verifier": "generated-verifier-string"
}
The error response says invalid_grant with error_description: “The code_verifier does not match the code_challenge”. I’m generating the challenge with SHA-256 and Base64Url encoding, so the math should be right. Anyone else hit this wall?