Invalid_client - Client authentication failed SPA

I’m trying to make my SPA working. Im using this one:

After log in from Okta ui to issue the token I get:

{“error”:“invalid_client”,“error_description”:“Client authentication failed. Either the client or the client credentials are invalid.”}

I followed step by step the documentation.

This is the request I’m doing:

curl ‘’ -H ‘authority:’ -H ‘accept: application/json’ -H ‘x-okta-user-agent-extended: @okta/okta-vue/1.1.1 okta-auth-js-2.7.0’ -H ‘user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36’ -H ‘content-type: application/x-www-form-urlencoded’ -H ‘origin: http://localhost:8080’ -H ‘sec-fetch-site: cross-site’ -H ‘sec-fetch-mode: cors’ -H ‘referer: http://localhost:8080/implicit/callback’ -H ‘accept-encoding: gzip, deflate, br’ -H ‘accept-language: en,en-US;q=0.9,es;q=0.8,ru;q=0.7,it;q=0.6,pt;q=0.5,de;q=0.4,gl;q=0.3,fr;q=0.2’ --data ‘client_id=xxxxxx&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fimplicit%2Fcallback&grant_type=authorization_code&code=xxxxxxx&code_verifier=ce978da81d8fc55exxxef2779045343605e2a24fbc’ --compressed

And My config looks like this:

I’m pretty sure I’m missing some silly thing…

appreciate any help.


Hi @deck1187hw,

Application created for the Web application integration rather than SPA. In case of Web application, configuration will be with ClientID and Client Secret. Hence you need to pass the ClientID and Client Secret in the Authorization Header while invoking the token endpoint. In case of SPA, you will be passing the Code_Challange in Authorization endpoint and Code_verifier in the Token endpoint.

They don’t make this obvious at all. What you need to do is the following:
Authorization: Basic ${Base64(<client_id>:<client_secret>)}

You can generate this from the command line like this:

echo -n ‘<client_id>:<client_secret>’ | openssl base64