Web API Authentication

Good morning, I would like to preface by saying that I have completed the process to activate the web API integrations and successfully received the secret key. As of now, I am following the OAuth2 flow to authenticate.

In the first step I create an authorization URL as follows:

"https://api.nuki.io/oauth/authorize?response_type=code&client_id={$client_id}&redirect_uri={$redirectUri}&scope={$scopes}"

After that, when I receive a call on my server, I manually copy the code that was sent as a parameter and execute this call with bash:

curl -X POST \
--header 'Content-Type: application/x-www-form-urlencoded' \
-d "client_id=$client_id&client_secret=$client_secret&grant_type=authorization_code&code=$code&redirect_uri=$redirect_uri" \
'https://api.nuki.io/oauth/token'

However, the response to the bash request is as follows, despite the client_id and the client_secret are the same present in the nuki’s web-api page:

{"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). passwords do not match"}

Additionally, here’s a sample of my codes:

code="ory_ab_..."
client_id="**_*-**..."
client_secret="****..."
scopes="account%20smartlock%20smartlock.create%20smartlock.auth%20smartlock.action%20smartlock.log%20smartlock.readOnly%20smartlock.config%20notification"

Hello,

The error suggests that there is a problem with the credentials used to authenticate the client (usually a combination of client ID and client secret). Has your advanced API request been approved? Please validate the client ID & secret again.

Please try to use this curl command to request the access token:

curl -X POST -d ‘client_id=CLIENT_ID client_secret=CLIENT_SECRET grant_type=authorization_code code=AUTHORIZATION_CODE redirect_uri=CALLBACK_URL’ https://api.nuki.io/oauth/token

Hello, yes, my advanced API request has been approved. When I request a token (not an AUTHORIZATION_CODE) with my credentials, the API response is correct, and I can use it to authenticate. So, I don’t think the credentials are the issue in this case.
To clarify any doubts: the credentials are the ones found on the page Nuki Web on the API page, in the “OAuth2 API key & URL” section. Specifically, client_id corresponds to “OAuth2 API key” and client_secret corresponds to “OAuth2 API Secret,” correct?

Yes, that is correct. Then i’m afraid the curl command has some issue, could you please try to authorize via Postman or Swagger to validate this?

Using Swagger (Nuki demo), I have to enter only the client_id, and it works. However, when I use Postman, I receive the same error as when sending data with PHP or Curl (bash).

Hence it looks like a format error, hence I requested you to check with the command given in the documentation:

curl -X POST -d ‘client_id=CLIENT_ID client_secret=CLIENT_SECRET grant_type=authorization_code code=AUTHORIZATION_CODE redirect_uri=CALLBACK_URL’ https://api.nuki.io/oauth/token

Hello,
Sorry for the misunderstanding. I tried using the Bash command from the documentation, PHP (with cURL), Postman, and the demo on your site. However, everything except the demo gives me the same error {"error_description":"Invalid client credentials.","error":"invalid_client"}, even though the credential are correct.