Quickstart — cURL - Authaz

# Code verifier — a random string between 43 and 128 chars
CODE_VERIFIER=$(openssl rand -base64 96 | tr -d '=+/' | cut -c1-128)
 
# Code challenge — base64url(SHA256(verifier))
CODE_CHALLENGE=$(echo -n "$CODE_VERIFIER" | openssl dgst -binary -sha256 | openssl base64 | tr -d '=' | tr '/+' '_-')
 
echo "verifier:  $CODE_VERIFIER"
echo "challenge: $CODE_CHALLENGE"

https://your-app.authaz.io/oauth2/authorize
  ?client_id=YOUR_APP_ID
  &redirect_uri=http://localhost:3000/callback
  &response_type=code
  &code_challenge_method=S256
  &code_challenge=YOUR_CHALLENGE
  &scope=openid%20profile%20email
  &state=$(openssl rand -hex 16)

http://localhost:3000/callback?code=AUTH_CODE&state=...

curl -X POST "https://your-app.authaz.io/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE" \
  -d "client_id=YOUR_APP_ID" \
  -d "redirect_uri=http://localhost:3000/callback" \
  -d "code_verifier=$CODE_VERIFIER"

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "id_token": "eyJhbGciOiJSUzI1NiIs...",
  "refresh_token": "rt_01h...",
  "token_type": "Bearer",
  "expires_in": 900,
  "scope": "openid profile email"
}

curl -X POST "https://your-app.authaz.io/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=rt_01h..." \
  -d "client_id=YOUR_APP_ID"

Symptom	Likely cause	Fix
`invalid_request` after sign-in	The `redirect_uri` in Step 2 doesn't match what's registered.	Compare exactly — trailing slash, port, scheme. Add `http://localhost:3000/callback` to Settings → Redirect URIs.
`400 invalid_grant` on token exchange	Authorization code already used, or expired (codes are single-use and short-lived).	Restart from Step 2 to get a fresh code.
`400 invalid_grant` with code unused	`code_verifier` doesn't match the original `code_challenge`.	Re-run Step 1 and Step 2 in the same shell so `$CODE_VERIFIER` survives.
`401 invalid_client`	Wrong `client_id`, or you sent a client secret you shouldn't have for PKCE.	PKCE flows don't send a secret. Check the Application ID.
`401` on `/oauth2/userinfo`	Access token expired (default: 15 minutes).	Use the refresh token (Step 5) or sign in again.

Quickstart — cURL

Prerequisites#

Step 1 — Generate a PKCE pair#

Step 3 — Exchange the code for tokens#

Step 4 — Call a protected endpoint#

Step 5 — Refresh when the token expires#

If something's wrong#

What's next#

Next steps#

Prerequisites#

Step 1 — Generate a PKCE pair#

Step 2 — Send the user to Authaz Sign-In#

Step 3 — Exchange the code for tokens#

Step 4 — Call a protected endpoint#

Step 5 — Refresh when the token expires#

If something's wrong#

What's next#

Next steps#