<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Invalid Grant Error when Accessing Token Endpoint
Oct 28, 2025
API Access Management
Okta Identity Engine
Overview

The purpose of this article is to understand why the /token endpoint could return one of the following errors: 

 

  • "error": "invalid_grant", "error_description": "The grant was issued to another client. Please make sure the client_id matches the one used at the authorize request." 
  • "error”:“invalid_grant”,“error_description”:“The authorization code is invalid or has expired.”
  • "error": "invalid_grant", "error_description": "The refresh token is invalid or expired."
Applies To
  • OAuth 2.0/OpenID Connect Application
  • /token endpoint
  • invalid_grant error
  • Okta Identity Engine (OIE)
Cause
  • "The grant was issued to another client. Please make sure the client_id matches the one used at the authorize request" error occurs when the client_id in the /token call does not match the one used in the /authorize request.
  • “The authorization code is invalid or has expired.” error occurs when the authorization code has expired, has already been used, or is invalid or malformed.
  • "The refresh token is invalid or expired." error occurs when the refresh_token included in the request is not valid: has expired, revoked, or was already used, and refresh token rotation is enabled for the application.
Solution

Error "The grant was issued to another client. Please make sure the client_id matches the one used at the authorize request"

To fix this error:

  1. Verify the client_id value used in the initial call to the /authorize endpoint.
  2. Ensure the exact same client_id value is used when making the subsequent call to the /token endpoint to exchange the authorization code for a token.

Error “The authorization code is invalid or has expired.”

A new authorization code must be generated by re-initiating the authorization flow:

  1. Redirect the user to the /authorize endpoint to start a new authentication and authorization request.
  2. Upon successful authorization, the authorization server will provide a new authorization code.
  3. Immediately use the new authorization code to make a request to the same authorization server's /token endpoint to retrieve the tokens.

Error "The refresh token is invalid or expired."

To fix this error, a new authentication and authorization flow to obtain a new set of tokens.

  1. Initiate a new authorization request to the authorization server.
  2. After successful authentication, the authorization server issues a new refresh token along with an access token.
  3. Store the new refresh token securely and discard the invalid one.

Related References

Recommended content

Still looking for help?
Loading
Invalid Grant Error when Accessing Token Endpoint