Hey there, let's break down how to troubleshoot that frustrating invalid_grant error you're hitting when exchanging your authorization code for an access token. This is one of the most common OAuth hiccups with Salesforce, so let's walk through the key checks and fixes:

• Authorization codes are single-use only
  Salesforce authorization codes expire immediately after they're used—even if the first token request fails. If you've already tried using 00DXXXX5 once, that code is dead. You'll need to restart the full OAuth authorization flow to get a fresh code, then send your token request right away.

• Double-check your redirect URI
  The redirect_uri in your POST request must match the one configured in your Connected App exactly. That means no differences in capitalization, trailing slashes, or URL structure. For example, if your Connected App has https://mysit11e.com/SalesforceCallback.aspx, make sure your request uses that exact string—no typos, no extra characters, no swapped HTTP/HTTPS (Salesforce requires HTTPS for production redirects).

• Verify client ID and secret
  Confirm that your client_id (Consumer Key) and client_secret (Consumer Secret) match exactly what's listed in your Connected App's settings. It's easy to mistype a character, especially with those long, alphanumeric Salesforce keys. Copy-paste directly from the Connected App page to avoid errors.

• Check code expiration
  Authorization codes only stay valid for 10 minutes. If you waited too long after getting 00DXXXX5 to send your token request, it's already expired. Grab a new code and submit your POST immediately.

• Match your environment
  If you're working in a Salesforce Sandbox, you need to send your token request to https://test.salesforce.com/services/oauth2/token instead of https://login.salesforce.com (which is for production). Make sure your authorization flow (where you got the code) and token request are targeting the same environment.

Quick Extra Check #

Head over to your Salesforce Setup > Apps > Manage Connected Apps, open your app, and verify that:

• The "Authorization Code" grant type is enabled under OAuth Settings.
• There are no IP restrictions or profile/permissions that might block your request (if you're testing from a new IP, you might need to adjust the Connected App's IP filter settings).

内容的提问来源于stack exchange，提问作者Imad