Regression of 401/Unauthorized when obtaining token in Authorization Code grant

I followed SPA + Vanilla

When I started my brand new account I selected SPA + Vanilla also.

After sign in page and when it redirects back to my website the POST + Pre-flight only gets 401 Unauthorized.

I figured out the solution because it seems you have partly made a regression bug from a past bug.


  1. Change account Credentials - Authentication Methods to “None”
  2. Settings - Application type - change from SPA to Regular Web Application

(Do you mean a Node.js backend when you write SPA? I believe SPA is the wrong word, you can create a website in Next.js which is based on Node.js backend to Not be a SPA or be a SPA, either works - ofc the intention is for it to be SPA)

Hey. Thanks for reaching out.

SPA supports only PKCE and hence token exchange with confidential clients in backend are not supported. Hence you were getting 401 error while trying to obtain token.

Node.js is being considered as backend in your case. You can only use that if you need to validate tokens that may be consumed as a separate package. For public clients/SPAs, Please make sure to follow the best practices. Let me know if that answers your question.


I don’t think you understand. How your service works today; A brand new customer signs up on for an account and selects to use SPA (client-side JavaScript). He/she gets default settings that will NOT work for client-side js. So it’s a bug. I wrote the steps needed to get around it above however, best is if it works from the start though?

Hi, Thanks for clearing that up.

Are you referring to this old bug?


Yes it’s very similar at least