Nightbot API 400 - badly written POST-request?

First and foremost, you should never make OAuth2 token calls containing a secret from client-side code. Your client secret is a secret, and must be kept on a backend server and not shared with clients.

Additionally, if you’re just making an integration for yourself to use, you can skip the authorization code and authenticate with client credentials instead:


If you’re building an integration for others to use, you want to exchange the code for a token using your secret on a backend server. The problem with your code sample is you’re probably posting JSON, whereas the endpoint (as per the OAuth2 RFC) is accepting urlencoded data as the body

1 Like