Bad client credentials


When I try to Hit this API, I’m Just Getting this Response

“error”: “invalid_client”,
“error_description”: “Bad client credentials”

I have no idea what’s going on, Any suggestions?

There are some errors in your request, as shown in this documentation you have to create a request compatible the the following curl sample:

curl -X POST
-u <developer client id>:<developer secret>
-d redirect_uri=<redirect URI used in authorize request>
-d scope=<space separated scopes>
-d grant_type=authorization_code
-d code=<authorization code>

If you are not familiar with curl, you should read curl documentation. OAuth2 RFC is another source of information.

Other useful material:

Thanks for your response sir.

1st Question - I don’t understand the steps of O Auth to allow my users to login/sign up using Battle dot net OAuth APIs , I’m using React JS Framework.

From my understanding :

1st step is to Authorization Request (Which I’ve done and I’m getting the Code with the Return URI)
2nd step is Access Token Request (When I’m sending All the Params using Post Method ) I’m getting this is response.
“error”: “invalid_client”,
“error_description”: “Bad client credentials”

3.User Info (Haven’t reached here)

Please suggest what should I do and share reference if possible.

Can you share the exact piece of code you are using for exchanging the authorization_code for the access_token (excluding only your own credentials obviously) ?

Also, please use markdown when posting code in this forum, it does help a lot.

For anyone else hitting this, the issue he was having was that he was likely including the basic credentials header AND including the client_id in the URL. I was receiving the same error until I removed client_id from the URL. The appropriate call is:

Authorization: Basic {base64-encoded-credentials} (e.g., YzkwNzBi...TTkNGWnk=)

I am running into this same problem using an OpenID Connect NPM package.

Are we supposed to be storing the client secret in web applications and sending them in the header to exchange the code for the access token? This doesn’t follow OAuth2/OpenID Connect standards and seems very insecure. JavaScript clients should not be using client secrets.

Hi jstratman33,

Are you writing a purely client side application/single page app? Blizzard OAuth does not currently support OAuth flows sufficient for single page applications. To facilitate the Authorization Code Flow (managing redirects and to keep your client secret private), we recommend leveraging a server component in your application architecture.


Thank you for the quick response. This is awkward for me as other OAuth2 implementations I have used allow implicit flow and auth code flow from pure single page apps. I am creating a server-side proxy to retrieve the access token.