Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Exchange authorization code for access token => 403 : error_description: "Invalid authorization code

I receive 403 when I POST a request to get the token.

Request payload:








responseType: 'text'

URL: ''

1 answer

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jul 31, 2020

Hi Hosein,

I see that you are getting a 403 error when trying to get an OAuth token here.  However I'm not sure I understand which version of OAuth you are using here (1.0 or 2.0) or which kind of integration you are attempting to make.

The URL you are calling makes me think you're trying to follow But if that's the case, then I'd want to better understand if you have first completed step #1

1. Direct the user to the authorization URL to get an authorization code

As described in the Overview above, your app should start the authorization flow by directing the user to the authorization URL:

If the callback URL does not match exactly (including any trailing /) then this could explain the bad request error here.   I can see in the 2nd call your redirect_uri is


But I don't know exactly what was entered in step #1 here.

Also what headers are being included in this 2nd request.  I don't see a clear problem with the payload, but sometimes if we don't specify the headers then it can be seen a bad request.

The example on that page is using curl to make this request:

curl --request POST \
  --url '' \
  --header 'Content-Type: application/json' \
  --data '{"grant_type": "authorization_code","client_id": "YOUR_CLIENT_ID","client_secret": "YOUR_CLIENT_SECRET","code": "YOUR_AUTHORIZATION_CODE","redirect_uri": "https://YOUR_APP_CALLBACK_URL"}'

Try this and let me know the results.

If you're following a different guide here, please let me know which one.


Thank you @Andy Heinzer for the response.

I am using OAuth 2.0 and I direct the user to the login page and it comes back with code successfully.  But in the second request when I send the POST request to get the token this error occurs.  

This is the header for the second request:

{'Content-Type': 'application/json'}

And this is what I receive:

{"error":"invalid_grant","error_description":"Invalid authorization code"}

 I also shared this question in StackOverflow:


@Hosein Nourani were you able to find a solution to this?

Hi Ajay, 

Yes, I noticed that the function that I call to extract the token was not working accurately.

I took it manually from the response URL and it worked!



Thank you,


I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Apr 25, 2023

can you please share with us the correct function ? i'm facing the same problem and it took me so much time , i dont know where the problem is , the data i provided is valid 

Suggest an answer

Log in or Sign up to answer
Site Admin
AUG Leaders

Atlassian Community Events