Hi Daniel,
I do not see it in the Auth0 logs. I only see the `code` parameter.
I do see that Genesys has sent a request to Auth0 with the description of: Authorization Code for Access Token and I see a successful token exchange.
I tried using postman directly to call https://api.usw2.pure.cloud/api/v2/webdeployments/token/oauthcodegrantjwtexchange but I didn't have any luck either.
Request
{
"deploymentId": "DEPLOYMENT_ID_REDACTED",
"oauth": {
"code": "AUTH_CODE_REDACTED",
"redirectUri": "gfiber://[auth-domain]/android/com.google.android.apps.fiber.myfiber/callback",
"codeVerifier": "PKCE_VERIFIER_REDACTED"
}
}
Response
{
"message": "Failed to identify user for token: 03c9d8d438fabe49d0282a6c546c8916 deploymentId: 95cc2d03-6f3e-4fe3-89fe-da9d702cecd4",
"code": "unauthorized",
"status": 401,
"contextId": "03c9ca27-0f87-4055-9912-606f1ef7915d",
"details": [],
"errors": []
}
------------------------------
Kevin Nguyen
------------------------------
Original Message:
Sent: 11-26-2025 23:28
From: Daniel Souza
Subject: Android Mobile Messenger 401: AuthFailed During OAuth Code Exchange (PKCE)
Hello, Kevin
In the Auth0 logs for the token exchange, does Auth0 show the code_verifier parameter being sent? do you see Auth0 receiving a token validation request from Genesys after the app returns the code?
------------------------------
Daniel Souza
Original Message:
Sent: 11-26-2025 19:28
From: Kevin Nguyen
Subject: Android Mobile Messenger 401: AuthFailed During OAuth Code Exchange (PKCE)
Hello everyone,
I'm integrating the Genesys Cloud Mobile Messenger SDK into a native Android application using Auth0 as our external Identity Provider (IdP) via the Authorization Code Grant with PKCE.
We have successfully configured the token exchange, as confirmed by successful log entries on the IdP side, but the Genesys Cloud API is rejecting the token exchange with a 401 Unauthorized error.
🛑 Problem/Symptom
When the ChatController is instantiated with the MessengerAccount, the subsequent internal API call to exchange the Authorization Code fails, resulting in the session teardown.
Logcat Error (from Mobile Messenger SDK):
⚙️ Configuration Details
We believe the failure is occurring at the point where the Genesys Cloud API attempts to prove the identity to Auth0, leading to a rejected token that can't be used to start the session.
| Component |
Setting/Value |
Status/Purpose |
| Genesys Cloud Region |
usw2.pure.cloud |
Production region. |
| Auth0 Application Type |
Native Application |
Correctly set for mobile. |
🔑 Token Details (Confirmed to be Correct)
The Access Token (JWT) successfully issued by Auth0 (before being sent to Genesys) contains the correct audience, confirming Auth0 is issuing the token for the right recipient.
❓ Questions for the Community
-
Given that our Access Token has the correct aud claim and the Authorization Code is consumed immediately on the Auth0 side, does this failure point to a PKCE mismatch between the code_verifier (from the mobile app) and the code_challenge (sent to Auth0)?
-
In a flow where Genesys Cloud is using a client secret to proxy the exchange for a Native App, is there a known issue with how the Genesys proxy forwards the code_verifier?
-
Are there any specific, verbose Genesys Audit/Exchange logs we can access in the Admin interface that would show the reason for the 401 beyond the high-level API error?
Any guidance on how to isolate the exact point of failure within the Genesys Cloud/Auth0 handshake would be greatly appreciated!
Thank you!
#WebMessaging
------------------------------
Kevin Nguyen
------------------------------