Invalid_client error from Epic

We are building and testing a patient-facing app using Epic on FHIR. This app uses the Standalone Launch flow.

When making the POST request to exchange our authorization code for a token, we’re receiving a 401 error with invalid_client in the body. This is in the sandbox environment.

Our app is a Confidential Client (the client secret is not exposed to end-users in any way) and we require persistent access (we need a refresh_token).

We’re able to get the code after MyChart redirects to our app. We have followed the instructions in the documentation to authenticate our request: we used HTTP basic auth with the URL-encoded client ID and client secret as username and password, respectively. We are using the non-production client ID. As far as we can tell, all of the other form fields are correct as well. We tried regenerating the client secret and used the new one, but the issue still persists. We’ve reached out to open@epic.com, but they haven’t provided any support. As far as we can tell, we are following the documentation.

Does anyone have any pointers?

A little hard to troubleshoot without seeing the exact call, but things to check include:

1. Make sure the Content-Type is application/x-www-form-urlencoded.
2. Make sure the redirect_uri you are passing in matches exactly with what’s in the your app listing and with what you passed in for the authorization code flow.

We’ve managed to resolve this. It seems like the client ID and client secret should NOT be URL-encoded when used as HTTP basic auth credentials. The documentation is misleading in that regard.