Authorisation code flow: Error 403


I am following the Authorization Code Flow (Call Your API Using the Authorization Code Flow ( and I receive Error 403 {“error”:“invalid_grant”,“error_description”:“Invalid authorization code”} when I make the token request.

I complete step 1 successfully and Auth0 generates a URL in the format:

I then make the a token request using the AUTHORIZATION_CODE from the URL:

curl --request POST \
–url ‘
–header ‘content-type: application/x-www-form-urlencoded’
–data ‘grant_type=authorization_code’
–data ‘client_id=MY_ID’
–data ‘client_secret=MY_SECRET’
–data ‘redirect_uri=’

I have checked all parameters and all are correct. All prerequisites are correct and API is authorised for the application.

Any help will be appreciated.

Hi @jack.cattell,

Thanks for reaching out to the Auth0 Community!

I understand that you’ve encountered the 403 invalid grant and Invalid authorization code error when requesting the /oauth/token endpoint.

This error can happen for a few reasons. The provided authorization code could be invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. This is described in the OAuth 2.0 error code specification rfc6749.

I have gone ahead and tried to reproduce the error and was able to by using an expired authorization code. See below:

Given that, I recommend that you identify whether the authorization code you used satisfies one of the reasons mentioned earlier. And then adjust your requests if needed.

Hoped this helps!

Please let me know if there’s anything else I can do to help.

Thank you.

Thank you for your response.

I will check. How quickly does a code expiry (I however make the token request as soon as I receive the authorisation code)?

Could you also explain what ‘does not match the redirection URI’ means exactly? My hunch is this is more likely explanation but I am unsure what I have to check.


Hi @jack.cattell,

Thank you for your reply.

According to the OAuth 2.0 specification, the authorization code expires shortly after it is issued, with a maximum authorization code lifetime of 10minutes (could potentially be shorter). If you are making your requests immediately after receiving your authorization code, you can eliminate this error as a possibility.

What is meant by “does not match the redirection URI used in the authorization request” means that your redirect_uri parameter should match in both your /authorize request and /oauth/token request.

If this is the case, you’ll need to make sure these values are the same.

Please let me know if you have any other questions. I’d be happy to help.

Thank you.

Thanks. I will check

Hi all.

I have started to get this error recently. It might be the same reason as you mention.

We are sometimes getting a code ending with a #(hashtag) first time a user authenticates with google.
When I post it to oauth/token, it always returns a 403.
I have tried with and without encoding the value, but it makes no difference.

Still works the second time the user gets a code (after he is added to the auth0 database). All other connections works fine (facebook, apple and email/password)


1 Like

The #(hashtag) is a fragment identifier and not part of the code.

The problem here, was that our frontend parser of the URL, only considered ? and & to split parameters, so it put the fragment identifier as part of the code parameter.


1 Like


I updated the redirect_uri and it worked, but then stopped working and I have the same problem now which has baffled me. Any further ideas?


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.