Subject: OAuth invalid_client after login — Custom App with valid credentials
Authentication Type: OAuth 2.0 (User Authentication)
Status in Dev Console: Enabled
Status in Admin Console → Platform Apps Manager → User Authentication Apps: Enabled
Issue:
The OAuth authorize endpoint returns "invalid_client" after the user logs
in (logged in as the app owner [removed by moderator] ). The error page
shows Error: invalid_client with no Show Details revealed.
What I have already verified:
1. Client Secret is correct — confirmed via curl POST to
https://api.box.com/oauth2/token with a fake auth code. Response:
{"error":"invalid_grant","error_description":"Auth code doesn't exist or
is invalid for the client"}
This proves client_id + client_secret are accepted by Box's token endpoint.
2. Redirect URI is registered exactly as sent in the consent request:
3. Scopes: Read all files + Write all files (Content Actions)
4. App is enabled in both Dev Console and Admin Console
5. I am the developer who owns the app
Three identical OAuth providers (Google, Microsoft, Dropbox) work end-to-end
with the same redirect URI and same client-side flow.
App Diagnostics tab has a 48-hour delay so I cannot self-diagnose from there.
Please advise what's blocking the OAuth flow for this app specifically.