Recieving 'Could not authenticate with provided credentials' during OAuth flow, everything seems right

Hi All,

I know this is similar to #47212 but there’s no resolution there.

I’m trying to setup an OAuth flow, and for the most part it works fine, but it’s the post to /oauth2/token that fails, the only POST request in the process

I tried it using curl too with:

curl -X POST ‘’ -H ‘Accept: /’ -X POST --data ‘grant_type=authorization_code&client_id={clientid}&client_secret={secret}&redirect_uri={redirectURI}&code={code}’

where anything in {} has been redacted, but was in the actual request and correct. No matter what I keep getting

{“code”:“bad_request.could_not_authenticate”,“error”:“invalid_request”,“error_description”:“Could not authenticate with provided credentials”,“message”:“Could not authenticate with provided credentials”}

I’ve verified the client secret and ID are correct, the client is created and everything.

The only other API POST request I’ve tried (to /feed) also failed, is there something I’m missing (like a header) for post requests?


Hey Will! It’s not a very clear error message, but I believe it’s because you’re using curl to get the access token. It works through my web app and Insomnia, but not through the command line.

Hi Hough,

Thanks for the response,

It’s not a very specific error is it?

I don’t think that’s the case, as I initially tried it with an xhttprequest in-browser, and when I first tried with curl I was spoofing the user-agent, so Monzo would’ve seen it as a web browser and not curl.

Oh I see. Yeah, there’s something missing but I’m not too sure what. That curl request looks perfectly valid for getting an OAuth2 token.

Edit: I think I may have found the reason. It looks like the Monzo API is protected by Cloudflare and there’s an HttpOnly on the cookie it sets. Whether the HttpOnly has any significance, I’m not too sure, but CF may have a hand in this!

I managed to get it working by creating another OAuth client… Not sure why that made a difference but it works now. Thanks for the help @hough

Interesting. :thinking: No bother!