The error message you are seeing:

oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). passwords do not match"

indicates that the OAuth2 server is rejecting your client credentials during the token exchange step of the Authorization Code flow. This typically happens for one of the following reasons: 1. Incorrect client secret: The client secret you are providing does not match the one registered for your OAuth2 client. This is a common cause and is confirmed in several troubleshooting discussions. Double-check that you are using the correct client secret for the client ID you registered. Even a small typo or whitespace can cause this error. In one case, the error was traced back to an invalid client secret, and correcting it resolved the issue [Missing or incomplete basic auth header in token request](https://github.com/ory/network/issues/332). 2. Mismatched authentication method: By default, Ory expects client authentication via HTTP Basic Auth (

client_secret_basic

). If your client is configured to use a different method (e.g.,

client_secret_post

), or if the credentials are not being sent in the expected way, authentication will fail. You can check and set the authentication method for your client using the

token_endpoint_auth_method

parameter [Client auth fails because Wrong token_endpoint_auth_method](https://www.ory.sh/docs/hydra/debug/token-endpoint-auth-method/). 3. Client not found or misconfigured: Ensure that the client ID you are using exists and is correctly configured in your Ory project. You can verify your client configuration with:

ory get oauth2-client {client.id}

and check that the client ID, secret, and allowed grant types match your usage [Refresh Token flow fails](https://www.ory.sh/docs/hydra/debug/#refresh-token-flow-fails). 4. Password length or character issues: In rare cases, issues with the client secret's length or special characters (such as hyphens or underscores) have caused problems after upgrades or migrations. If you recently upgraded Ory Hydra or Ory Network, try resetting the client secret to a new value and see if the problem persists [Unexpected bug authenticating a valid client](https://github.com/ory/hydra/issues/3581). What you should do: - Double-check the client ID and client secret you are passing to

ory perform authorization-code

. - Ensure you are using the correct authentication method (default is HTTP Basic Auth). - If you recently changed or migrated your Ory setup, try resetting the client secret. - Make sure the client is registered with the correct grant types and redirect URIs. If after these checks the issue persists, please provide the exact command you are running (with secrets redacted), and verify your client configuration in Ory. Let me know if you need help with any of these steps!