"@auth0/auth0-spa-js": "^1.12.1",

hi All,

i am trying to integrate “@auth0/auth0-spa-js”: “^1.12.1” for “Authorization Code Grant Flow with PKCE”

when i do “getTokenSilently()” call, i see that first call goes to /authorize and return 200. however after that multiple “/oauth/token” calls goes but all end up in error.

i tried looking around but could not fine any issue.

Can you please suggest what could be wrong.

what is your oauth/token sending as part of the body? Are you getting 401 or something else as the response code?

1 Like

this is what i see


response is empty, without any code.


i see this issue happening only for google chrome. and in Firefox, i am able to get the token correctly.

in below screen, i see that the __cfuid and *_compat cookies are rejected for sameSite issue. i believe that is the difference in Chrome and Firefox

@dan.woda can you please help me with this?

I’m having the same issue. But I verified against Chrome, Safari, and Firefox on Mac OS where they all behave the same - 401 response. You may also see an error in your Console that says “Invalid State”.

There seems to be a number of different ways that Invalid State can be caused.

The underlying theme is that there is a misconfiguration somewhere that is causing this behavior. But I can’t isolate it in my environment - yet.


Those compatibility cookies will give you a warning, but shouldn’t be causing the problem. Can you please DM me a HAR file with a capture of the transaction.

@snehal.libra I just had support help me address my issue. The SPA was configured with POST for “Token Endpoint Authentication Method” (I didn’t set that, it was defaulted to POST when app was created). However, that seems to require Secret being passed. I had to change to Web Application, set the method to NONE, then changed it back to SPA and was able to get past the same 401 error. Hopefully that helps you as well.

1 Like

Thanks for the follow up @dmitry.

It looks like the same issue as this thread. If it is, it’s a bug.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.