We are building and testing a patient-facing app using Epic on FHIR. This app uses the Standalone Launch flow.
When making the POST request to exchange our authorization code for a token, we’re receiving a 401 error with invalid_client in the body. This is in the sandbox environment.
Our app is a Confidential Client (the client secret is not exposed to end-users in any way) and we require persistent access (we need a refresh_token).
We’re able to get the code after MyChart redirects to our app. We have followed the instructions in the documentation to authenticate our request: we used HTTP basic auth with the URL-encoded client ID and client secret as username and password, respectively. We are using the non-production client ID. As far as we can tell, all of the other form fields are correct as well. We tried regenerating the client secret and used the new one, but the issue still persists. We’ve reached out to firstname.lastname@example.org, but they haven’t provided any support. As far as we can tell, we are following the documentation.
Does anyone have any pointers?