This article explains what can cause the mismatched_authorization_server error to appear in system logs with the /token call with refresh tokens. It also causes an invalid_request error on Postman.

• mismatched_authorization_server
• Authorization servers
• invalid_request
• 400 bad request
• Refresh Tokens

The error is caused by the /token call with refresh tokens being issued by a different authorization server than the /token call with code. For example, the /token call with refresh tokens was issued by the custom default authorization server, while the /token call with code was issued by a custom-created authorization server, as shown in the following 2 screenshots.

• /token call with refresh tokens calls was issued by a custom default authorization server:

• /token call with refresh tokens calls was issued by a custom-created authorization server:

In System Log, if the mismatched_authorization_server error is expanded > System > Debug Context > Debug Data, the authorization server ID will be present.

The solution is to ensure that the same authorization server that is used in the first /token request (to receive the refresh token) is being used in subsequent /token requests, using that refresh token to get new tokens.