Why do I keep getting errors.unknown_or_used when requesting an access_token?

The code that is generated when a user goes through the authorization process is restricted in a number of ways. This error means one of two things:

  1. The code has expired or has already been used

Codes are single use codes that expire in a relatively short time frame. So when if you’re building an auth flow from scratch and not using something like Omniauth, you will need to be careful to request a new code each time you want to test your access_token redemption process.

  1. The information passed when redeeming the code doesn’t match the authorization values.

The most common cause of this is that redirect_uri value passed to Request Access Token doesn’t match that used in the Authorization Request.

You can inspect the token request in your Developer Dashboard and cross-reference that against the preceding authorization request

These restrictions help to mitigate against a code don’t end up in the wrong hands.