Client authentication failed

Alpaca Integration Applications
1

I am encountering an issue with the OAuth 2.0 Authorization Code flow for my registered application.

Problem Description:
When my application attempts to redirect a user to the Alpaca authorization endpoint, the user is immediately shown an Alpaca error page with the message:
“An error has occurred
Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.”

When my application redirects a user to the Alpaca authorization endpoint, the user can successfully log in and sees the authorization prompt. However, immediately after clicking the ‘Authorize’ button, the user is shown an Alpaca error page with the message: ‘Client authentication failed…’ The user is never redirected back to my registered Redirect URI (/alpaca_callback.php). This occurs even when testing with the minimal parameters (response_type, client_id, redirect_uri, state, env) and in an incognito browser window. It seems the client validation fails on Alpaca’s side after user authorization but before the redirect with the authorization code is issued.

Authorization URL Being Used:
My application constructs and redirects the user to the following URL:

(Note: [GENERATED_STATE_VALUE] is a unique random string generated for each request)

Troubleshooting Steps Taken:

  1. I have verified that the client_id parameter in the authorization URL exactly matches the Client ID provided in my Alpaca dashboard for this app.

  2. I have verified that the redirect_uri parameter in the authorization URL exactly matches the Redirect URI registered in my Alpaca dashboard (including https and no trailing slash).

  3. The required response_type=code parameter is included, and all other required params

  4. I have tried including and excluding the optional scope parameter (relying on default read access when excluded). The issue persists in both cases.

  5. I have tried accessing the generated authorization URL directly in a clean browser session (Incognito/Private Window) and it still results in the immediate error page.

Since the failure occurs before user login/authorization and the parameters seem to match the registration details exactly, could you (anyone work here?) please investigate if there is an issue with the validation of my client_id or redirect_uri on Alpaca’s end for this initial authorization request, or if my application registration requires further activation?

Update: Heard back from support, they said this happens because app isn’t set to “published” within app settings. Which may be true in some cases, however the app is/was 100% set to published already, I sent them screenshots, so this in no way solved the issue.

Thank you for your assistance.