API Error: invalid code verifier

I'm not having any joy at all getting authorisation to work. As far as I can tell, I'm following the docs to the letter (though some of them are extremely difficult to read or interpret) and this coincides perfectly with the steps outlined in another thread (https://www.dropboxforum.com/t5/Discuss-Dropbox-Developer-API/What-way-of-authorization-to-use-for-a-PHP-open-source-module/m-p/523387#M1908).

 

I'm trying to use the PKCE flow for a Wordpress plugin built in PHP. The docs say this is the best method to use where the code will be viewable by the public so you don't want to have your app secret used.

 

I construct a url to take the user to oauth2/authorize to authorise the app. The url has the following added in correct url encoded format:

response_type=code

client_id=<MYAPPID>

code_challenge=<CHALLENGE>

code_challenge_method=S256

(with the appropriate values in place of the placeholders above).

 

The user then returns to my app and types in the <CODE> they're given, and I then save it.

 

I then immediately use that <CODE> to try to get a token using oauth2/token. I'm using CURL for this. The headers I set are:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

Then for the data (sent in urlencoded format) I have

code=<CODE>
grant_type=authorization_code
code_verifier=<CHALLENGE>
client_id=<MYAPPID>

What I get back from Dropbox, though, is an error:

{"error_description": "invalid code verifier", "error": "invalid_grant"}

I keep trying different combinations of things, including with the headers,  for about five minutes until the <CODE> expires and the error message changes to that. Then I have to re-authorise the app and circle around again. The encrypted code verifier I'm sending in the token request is exactly the same encrypted code verifier I sent with the authorisation url. So why the error?

 

This is doing my head in. Can anyone please help?