The authorization code is invalid or has expired

I get the below error back many times per day when users post to /token. Does anyone know what can cause an auth code to become invalid or expired? Considering the auth code is typically immediately used to grab a token, what situation would allow it to expire?

{“error”:“invalid_grant”,“error_description”:“The authorization code is invalid or has expired.”}

One thought comes to mind. If you double submit the code, it will be expired / invalid because it is already used.

You can check Okta’s logs to see a pattern that a user is granted a token and then there is a failed.

When you are looking at the log, if you click on the code target (the one that isn’t in parentheses) you can see other requests using the same code.

Hope this helps! Let me know if this was the issue.

I am getting the same error while executing below Okta API in SOAP UI
with below header parameters
Authorization-Basic MG9hZG5lcDhyelJwcGI4WGUwaDc6bHNnLWhjYkh1eVA3VngtSDFhYmR0WC0ydDE2N1YwYXA3dGpFVW92MA==

Error getting is {“error”:“invalid_grant”,“error_description”:“The authorization code is invalid or has expired.”}

Are you actually passing the code?

Could you resolve this issue?I am facing the same error.Also ,I do not see any logs on the developer portal.So theses codes are defintely not used once.

Hi @snsinha

Can you please open a support case with us at in order to have one of our Developer Support Engineers further assist you?

I get the same error intermittently. I could track it down though. if authorization code has backslash symbol in it, okta api call to token throws this error. If not, it returns tokens. I get authorization token with response_type=okta_form_post. I have verified this is only happening if I use okta_form_post, other response types seems to be working fine. Do you aware of this issue?

I’m using okta postman authorization collection to get the token with “Get ID Token with Code and PKCE”