Question

Trouble with OAuth2 Token Exchange using Calendly API - Invalid Grant Error

  • 12 April 2024
  • 2 replies
  • 178 views

Hello Calendly Developer Community,

I'm currently working on integrating Calendly into our Node.js/Express application to allow users to manage their appointments. I have successfully directed users to the authorization URL, and they can authorize the application successfully. However, I am encountering an issue during the OAuth token exchange phase.

Process Overview:

  1. User Authorization: Users are redirected to the following URL to authorize:

    https://auth.calendly.com/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_ENCODED_REDIRECT_URI&response_type=code

    Upon successful authorization, they are redirected back with an authorization code.

  2. Authorization Code Example:

    Code received: qc_wV5N-WYdM8ROY-xZJRVwQUp2nx_mY3ONn1i3Yb_Q

  3. Token Exchange Request: I then make a POST request to exchange the authorization code for an access token:

    curl --request POST \ --url https://auth.calendly.com/oauth/token \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'code=qc_wV5N-WYdM8ROY-xZJRVwQUp2nx_mY3ONn1i3Yb_Q' \ --data-urlencode 'redirect_uri=https://backend.webboar.com:3000/api/integrations/add/calendly'

Error Received: Upon making the token exchange request, I receive the following error:

{ "error": "invalid_grant", "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." }

This error occurs even though I am using the same redirect_uri as in the initial authorization request and the code is freshly received.

Could anyone suggest what might be going wrong or how to debug this issue further? Any insights or similar experiences shared would be greatly appreciated. I am using Node.js/Express and handling the OAuth flow manually, as well as attempting to use the simple-oauth2 library for managing OAuth flows.

Thank you for any help you can provide!


2 replies

Hi Eugene,

 

Thanks for reaching out! 

 

I took a look at the error and this is referring to the grant being used as invalid. I see you have grant_type = authorization_code as expected but can you be sure this is in the body of the request?

 

Also can you be sure that the authorization code is valid or to try to generation another to send over with the grant?

 

Thank you! 

Process Overview:

User Authorization: Users are redirected to the following URL to authorize:

https://auth.calendly.com/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_ENCODED_REDIRECT_URI&response_type=code

Upon successful authorization, they are redirected back with an authorization code.

Authorization Code Example:

Code received: mRHPuq-kywcxyz6AD3cKgG0it8vzSkuQIJ8OtDkPkUs

Token Exchange Request: I then make a POST request to exchange the authorization code for an access token:

curl --location 'https://auth.calendly.com/oauth/token' \

--header 'Authorization: Basic ZHFreW9ncGJES1VIWmRRaDdEWFUxRHdTZmVwbl9WNVptN1JDazlqSmh0STpnUkIxbHVmeGtaUWpTd29RN0ZNdmZTbXBoMGt2UDJUZjRVbnMwajMzU0xN' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--header 'Cookie: __cf_bm=iRrCgJV2HhSyp9iJZbEkH18n_BNITlmDz7kU2zkfw0I-1720599144-1.0.1.1-soOHNn03lVAJ4HBWJT2lGGmp4ovzxzFLzqUr1ht1cOSA45Aw7qUgCkmjtrQUCtesAJ0D.XM6oblM54Q1vi5_Ig; __cfruid=079e4565a29339b59d8acd8479c9fd1837999023-1720590508; _cfuvid=DlyFqVkERE_aLZePca75.F3eEAE5iFhnCAJqKRAfO3s-1720590508613-0.0.1.1-604800000' \

--data-urlencode 'grant_type=authorization_code' \

--data-urlencode 'code=mRHPuq-kywcxyz6AD3cKgG0it8vzSkuQIJ8OtDkPkUs' \

--data-urlencode 'redirect_uri=https://atul.ecarter.co/may_setup/'

 

Error Received: Upon making the token exchange request, I receive the following error:

 

{

    "error": "invalid_grant",

    "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."

}

Reply