<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Browser Requests to the Token Endpoint Must Use Proof Key for Code Exchange
Sep 10, 2025
Okta Classic Engine
API Access Management
Overview

When doing Authorization Code FlowClient Credentials Flow, or Resource Owner Password Flow, Okta returns the following error on the /token endpoint of the authorization server:

{
    "error": "invalid_client",
    "error_description": "Browser requests to the token endpoint must use Proof Key for Code Exchange."
}

 

Applies To
  • OpenID Connect
  • OAuth 2.0
  • Authorization Code Flow
  • Client Credentials Flow
  • Resource Owner Password Flow
  • Okta Classic Engine
Cause

The "Origin" header is present in the request to the /token endpoint of the authorization server.

Solution

The "Origin" header is used for client-side requests, and Okta requires PKCE if the /token request is made on the client side.

Authorization Code Flow with PKCE is the only client-side OIDC flow that can use the /token endpoint of the authorization server. Any other OIDC flows must send the request through a server-side/native method and must not have the "Origin" header present in the /token request.

NOTE: The browser version of the Postman application may automatically add the "Origin" header to the payload. If using this version, double-check to see if the Origin header has been added to the /token call.

Recommended content

Still looking for help?
Loading
Browser Requests to the Token Endpoint Must Use Proof Key for Code Exchange