What does invalid_grant mean?

The authorization code expired, was reused, or the PKCE verifier does not match. Check your code exchange timing and PKCE implementation.

What does redirect_uri_mismatch mean?

The redirect_uri in your request does not exactly match the registered URI in your provider dashboard.

Reference

OAuth 2.0 Error Codes Reference

OAuth errors return a JSON body with an error field and usually an error_description. Here is every standard error code, what it means, and how to fix it.

Error Code	Meaning	Common Cause	Fix
invalid_grant	Authorization code or refresh token is invalid	Code expired, reused, PKCE mismatch, refresh token rotated	Exchange code immediately; check PKCE verifier; handle rotation
invalid_client	Client authentication failed	Wrong client_id or client_secret; secret rotated	Check credentials in provider dashboard; update rotated secret
invalid_request	Malformed request	Missing required parameter; wrong encoding	Check all required params; use URLSearchParams for encoding
unauthorized_client	Client not authorized for this grant type	Grant type not enabled for your app	Enable the grant type in provider dashboard
access_denied	User denied access	User clicked "Cancel" on consent screen	Handle gracefully — redirect to login or show explanation
unsupported_grant_type	Server does not support this grant type	Using deprecated Implicit Flow or wrong grant type	Switch to Authorization Code + PKCE for user flows
invalid_scope	Requested scope is invalid or not permitted	Typo in scope name; scope not configured for client	Check exact scope names in provider docs; enable in dashboard
redirect_uri_mismatch	redirect_uri does not match registered URI	Trailing slash, protocol, or port difference	Exact string match required — check provider dashboard
server_error	Auth server internal error	Provider-side issue	Retry with exponential backoff; check provider status page
temporarily_unavailable	Auth server temporarily unavailable	Provider maintenance or outage	Retry after delay; check provider status page

Error response format

{
  "error": "invalid_grant",
  "error_description": "The provided authorization grant is invalid, expired, or revoked.",
  "error_uri": "https://tools.ietf.org/html/rfc6749#section-5.2"
}

How to debug OAuth errors

Log the full error response — including error_description, not just the status code
Check the exact parameter values you are sending — log them before the request
Use OAuthFixer to walk through the error by provider — Auth0, Okta, Cognito, Google, Microsoft each have specific causes and fixes

Debug your OAuth error → OAuthFixer