Python Generate a Token with a Code

I am trying to create a token with a valid code for use in a 3rd party client.

So, I am able to authenticated and create a token within the Python Flask web environment.


I’ve created an alternate redirect URL that will let me create an environment within my Flask application that does not use the web tokens. I’m able to authorize the token within the python environment.

g.url = f"{os.getenv('OKTA_ORG_URL')}/oauth2/default/v1/authorize?" \
        f"client_id={os.getenv('OKTA_API_CLIENT_ID')}&" \
        f"response_type=code&" \
        f"redirect_uri=http://localhost:5000/validate_token&" \

return redirect(g.url)

And then I get a valid code.

Following the documentation here:

I should be able to take the code and turn it into a token that I can then use to prove authorization, but I keep getting

“errorCode”:“invalid_client”,“errorSummary”:"Invalid value for ‘client_id’

Here is the call I am posting from within the method to get the authorization token.

g.url = f"{os.getenv('OKTA_ORG_URL')}/oauth2/default/v1/token"

data = {
    "grant_type": "authorization_code",
    "redirect_uri": {os.getenv('VALIDATE_TOKEN')},
    "code": g.code

# ${Base64(<client_id>:<client_secret>)}
auth_code = base64.b64encode(f"{os.getenv('OKTA_API_CLIENT_ID')}:{os.getenv('OKTA_API_CLIENT_SECRET')}".encode("utf-8"))

headers = {
    'Accept': 'application/json',
    'Authorization': f"Basic {auth_code}",
    'content-type': "application/x-www-form-urlencoded"

response =, headers=headers, data=data)

Does anyone have any suggestions on how to dig in here to get a better understanding why my token won’t validate?

Hi @timburnsowlmtn

Can you please double check (copy and paste) the client ID and client secret from Okta to the environment variables and try again? Based on our logs, the client secret used in the request is invalid.

Hi Dragos,
Thank you. I copied the client id and secret from the page. I also base64 encoded using the following command line:


Now when make the call, I get the error message:

{“error”:“invalid_client”,“error_description”:“The client secret supplied for a confidential client is invalid.”}