Make sure you're using Basic Authorization with your client ID and secret, and that your POST contains the correct redirect URI.
Make sure all POSTs are using the correct content type.
Codes expire after one minute, and they can only be redeemed once - check to make sure that you aren't trying to exchange a code that's already been used (you will receive a 400 error code if this is the case).
This error message appears if you're trying to access endpoints a token doesn't have access to. Make sure you're only using SSO bearer tokens on supported endpoints. If you get this with a district-app token, this means your app doesn't have access to Secure Sync.
Never ask users for their credentials in order to test a login - it does not follow our security best practices. If you have access to Secure Sync, you can use our debugging tool to initiate a log in as the user in question.
If you're still running into issues, reach out to us at [email protected]! Please include the timeframe of the error, code(s) for the login attempts that failed, and as much information as possible.
Updated over 2 years ago