OAuth 2.0 Token Request Failing with "invalid_grant" – Integration Help Needed

Question

OAuth 2.0 Token Request Failing with "invalid_grant" – Integration Help Needed

Closed this issue 5 months ago · 2 comments

Hi Splitwise Support Team,

We are currently working on integrating Splitwise APIs with our product using OAuth 2.0.

We successfully obtained the authorization code using the following authorize URL:

**https://secure.splitwise.com/oauth/authorize?
redirect_uri=https://42c0-49-43-233-237.ngrok-free.app/api/splitwise/callback
&response_type=code
&state=randomString-1234
&client_id=b2IFmzsQiLSSMmSHx5XeVaGoJm0aZ0wjvZGa5iJc
After receiving the code, we attempted to exchange it for an access token by making a POST request to:**

**POST https://[secure.splitwise.com/oauth/token](http://secure.splitwise.com/oauth/token)**
However, we are receiving a 400 Bad Request response with the following error:

{
  "error": "invalid_grant"
}

We have attached a screenshot showing the exact body parameters sent in the request. We’ve followed the OAuth 2.0 standard, but it seems the token exchange is failing—possibly due to undocumented or specific expectations on the grant_type or other fields.

Could you please clarify:

What values are expected for the grant_type field (we are using "authorization_code" as per the standard)?

Are there any additional parameters or headers required that are not documented?

Looking forward to your guidance.

Best regards,
Sanjaya Reddy Addula
Senior Java Developer

Answer 1 · 2025-06-02T18:00:27.000Z

Hi @asanjayareddy ,

Although we can't help debug your specific application, we do try to follow the OAuth 2.0 RFC. In particular, per RFC 6479 § 5.2, the invalid_grant response means:

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

Per the same RFC, § 4.1.2:

A maximum authorization code lifetime of 10 minutes is RECOMMENDED.

We follow this recommendation.

Answer 2 · 2025-06-02T18:05:41.000Z

On a separate topic, you've posted a screenshot with your application's client secret. You should protect that secret like a password.

I've preemptively rotated your client secret for you. You can find the new one on your app's detail page, which is accessible from https://www.splitwise.com/apps.