visitvinoth avatar image
visitvinoth asked

'Code not valid' error always


I have to been trying to authenticate with authorization_code flow.

I followed the postman tutorial and it was working fine. I was able to get the access code.

But, I tried the same from cURL. Tough I have passed the token exactly as I received in the authorize API response, I have always been getting the following error response.

{"error":"invalid_grant","error_description":"Code not valid"}%

Here is the cURL.

I have been sending the following items to the token URL (

  1. client_secret
  2. client_id
  3. code (as receieved in authorize call)
  4. grant_type (authorization_code)
  5. redirect_uri (one of URLs added in the app)

Additionally, setting 'Content-Type: application/x-www-form-urlencoded' in the header.

I have made sure that I am passing all other params right too.

What could be the issue here?

  1. Is it any parameter I am missing?
  2. Are you considering similarity in the user-agent
  3. In postman, for getting token, I see some Bearer-Token is passed in the header? What is it? Is it needed?

I also have tried the 'Private Key Authentication'. Even if I pass the private_key_jwt, it is asking for the client_secret which again is against its purpose. Even then, I am getting the same error as above.

Please help me cross this blocker.

1584715421928.png (61.2 KiB)
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

majusmisiak avatar image
majusmisiak answered

Hello @visitvinoth

To answer your questions from last to first, "Bearer" is the token type that is used to authorize all API request that your application will make.

Authorization Code flow does not consider "User-Agent" header at any stage. It does, however, persist unique identifier for each user session.

Web browser / web application will handle that transparently, by storing session identifier as a cookie. Same process takes place, when you are using Postman to get new access token. Postman works to hide any additional complexity from end user.

Above is not true for tools like curl, which operate on lower level. Here it is user's responsibility to ensure that login request contains all needed data.

Answering your main question, the "Code not valid" error message is a general one. It may have one of the following meanings:

  1. That code is not valid, or is valid but incorrently URL encoded
  2. That the code is correct, but it has been already used by other user session

Each authorization code can be used only once, to generate single new access token. As such, generating multiple access tokens from one code is not possible. One reason why you may be receiving this error is because authorization code was already used, either by Postman or by web application.

If this is not the case for you, please provide the steps that you used to generation authorization code and I will try to provide further help.

10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.