Building a single-page app that needs to call Genesys Cloud Data Actions from the browser. Trying to implement the Authorization Code flow with PKCE. The initial auth request to https://api.mypurecloud.com/oauth/authorize works fine, gets redirected back with the code.
The problem is the token exchange. Sending a POST to https://api.mypurecloud.com/oauth/token returns 400 Bad Request with invalid_grant. I’ve checked the clock skew, it’s negligible. The client ID matches.
Here is the token request body:
{
"grant_type": "authorization_code",
"code": "AUTH_CODE_FROM_REDIRECT",
"redirect_uri": "http://localhost:3000/callback",
"code_verifier": "LONG_RANDOM_STRING_VERIFIER",
"client_id": "MY_CLIENT_ID"
}
The code_verifier was generated using crypto.getRandomValues and base64url encoded properly. The challenge in the authorize request was the SHA-256 hash of this verifier.
I’m using the standard application/x-www-form-urlencoded content type.
Is there something specific about how Genesys validates the PKCE verifier in this context? The docs say it’s supported but don’t give examples of the token exchange payload structure.
Also, is the redirect_uri required in the token request body? I’ve seen conflicting info on that.
Getting tired of staring at the network tab.