I would double check that the redirect_uri matches what you registered with in the developer portal, and that it matches the initial authorization code request. If they don’t match then you will get a 401. The spec might help out as well RFC 6749: The OAuth 2.0 Authorization Framework