getting invalid client error

  • I am getting invalid client error below. Is there anything obviously wrong with my code?
    This is how I am getting the id after the register() :
    $result = $_SESSION['client']->register("", $requestJ);
    $userid=(string) $result->successResponse->user->id;

    And here is the error code I get when user clicks on the link in the email:
    "error" : "invalid_client",
    "error_description" : "client_id: 30ee85cc-47fc-4c82-a64f-c7db689ba701 is not valid.",
    "error_reason" : "invalid_client_id"

    The id I am using is the one that was returned when I registered this person.
    Here is the code to send the passwordless code```

        $request = array();
        $request["applicationId"] = $_SESSION['applicationID'];
        $request["loginId"] = $email;
        $request["state"]["redirect_uri"] = "";
        $requestJ = json_encode($request);   //convert the array into json
        $result = $_SESSION['client']->startPasswordlesslogin($requestJ);
        if (!$result->wasSuccessful()) {
            log_message('error', $result);
        $code = $result->successResponse->code;
        //send the email
        $request = array();
        $request["code"] = $code;
        $requestJ = json_encode($request);   //convert the array into json
        $result = $_SESSION['client']->sendPasswordlessCode($requestJ);
        if (!$result->wasSuccessful()) {
            log_message('error', $result);
            }                       //en

  • In looking over the documentation I found this:

    • Start a passwordless login request by generating a passwordless code. This code can be sent to the User using the Send
    • Passwordless Code API or using a mechanism outside of FusionAuth. The passwordless login is completed by using the Passwordless Login API with this code.
    • @param array $request The passwordless start request that contains all of the information used to begin the passwordless login request.
    • @return ClientResponse The ClientResponse.
    • @throws \Exception
      Can you tell me where to find a list of exactly where "all the information" required is listed?

  • @richb201 said in getting invalid client error:

    all the information


    Yup, in general for all the API calls you are creating a JSON object. How you create that JSON object varies by language, but the keys and values will be the same across different languages.

    What does that JSON object look like? The REST API documentation tells you.

    So for the passwordless object, you should look at the passwordless api documentation.

    Here's the JSON for that call copied from the relevant section:

      "applicationId": "10000000-0000-0002-0000-000000000001",
      "loginId": "",
      "state": {
        "client_id": "10000000-0000-0002-0000-000000000001",
        "redirect_uri": "",
        "response_type": "code",
        "scope": "openid",
        "state": "CSRF123"

  • Thanks Dan. My json looks pretty similair to the one you posted.


    Looks similar to me, so this is probably not the problem. I am using ngrok since I am developing under docker on my laptop. The email gets sent fine. The problem is that the link address in the FA template email starts "http://localhost:9011". I understand that is where my copy of FA is located on my laptop, but the email has been sent to a different machine! localhost:9011 won't work on a different machine!

    So my link (in the passwordless email) needs to start with I know this link works fine because when i type it into the browser address bar on the remote machine, it opens my survey fine.

    So how to get FA to send a link starting with my ngrok-http: instead of http://localhost:9011???

    Also: is there anyway to set the FROM: address in the email dynamically using templates? The employees getting the passwordless emails will probably be wary of clicking an email from rather than from

  • I managed to created my own email template and figured out that I can hard code my ngrok address in instead of localhost:9011. Where in the call to sendPasswordlessCode() or start Passwordlesslogin() do I specify to use my template instead of the standard passwordlesss login template? I also see in the comments to the create template

    [#-- The optional 'state' map provided on the Start Passwordless API call is exposed in the template as 'state' --]

    is there any documentation on the state map? Is that the [user][data] section of a request?

  • Well I "trialed and errored" my way into finding that the template to use is set in the UI (not programatically). Now my problem is that when a user clicks on the link they get "invalid URI redirect" but no mention of what is wrong with the redirect. Looking at the redirect above, can you tell me what is wrong?

  • @richb201

    Hiya, an invalid redirect error usually means that you haven't registered the redirect uri you are passing to start the grant with the application. So does your fusionauth application config have the specified uri configured?

  • This post is deleted!

  • Dan I have managed to get the user into the Authorized Redirect URL. Yay! I need to find the person in my table. I am stuffing some data that could help me find the person in my table.

        $request["user"]["data"]["taxyear"] = $taxyear;
        $request["user"]["data"]["contact_name"] = $admin_name;
        $request["user"]["data"]["admin_email"] = $_SESSION['userid'];

    How can I access these fields via the API? I also see that the state (that I have set to CSRF123) is available in _GET. Is there anything magic about state of can I just stuff the users id OR A RECORD NUMBER in that field?

    I see GET /api/user/{userId}

    but I can't use that unless I have the person's userId. Where can I find that?

  • You'll want to make sure you are using the elasticsearch engine and build a json string to search the field. There are examples here:

    One thing that threw me off is that there are two JSON objects you are creating.

    The first is the query, which is straight up elasticsearch and might look like:


    The second is the request object, which contains the escaped query:

      "search": {
        "numberOfResults": 50,
        "query": "{\"match\":{\"data.taxYear\":{\"query\":\"2020\"}}}",
        "sortFields": [
            "missing": "_first",
            "name": "email",
            "order": "asc"
        "startRow": 0

  • I am not using elastic search. But I thank you for your help, but I am getting to it a different way. I have stuffed the use's email into the "state" variable and then on the app side I am using that as an index. So while it is not the most "pretty" solution, I think it might work.

Log in to reply

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.