Struggling to understand why the token exchange fails with a 400 error despite correct PKCE parameters.
I am building a GraphQL gateway that wraps Genesys Cloud APIs for a single-page application. The SPA performs the initial authorization code flow with PKCE. The frontend generates the code verifier and challenge correctly. It redirects to the Genesys Cloud authorization endpoint. After user consent, it receives the code and sends it to my Node.js backend via a secure channel. The backend then calls the token endpoint to exchange the code for an access token.
The request fails with 400 Bad Request. The error response is "error": "invalid_grant" with "error_description": "Code verification failed". I am using the @genesyscloud/purecloud-platform-client-v2 SDK for the backend call. Here is the token request logic:
const { token } = await client.getOauthApi().postOauthToken({
grant_type: 'authorization_code',
code: req.body.code,
redirect_uri: 'https://my-app.com/callback',
code_verifier: req.body.codeVerifier
});
I have verified that the code_verifier sent by the frontend matches the one derived from the code_challenge. The redirect_uri matches exactly. The code is fresh. Is there a specific format requirement for the code_verifier in the SDK that differs from the standard RFC 7636 implementation? Or is the SDK modifying the payload before sending?