OAuth 2.1 authorization code flow fails in API Explorer: /allow returns 403

[Saw-000]

Summary

Using the client_id and client_secret of an app created under my account https://soundcloud.com/ie-so, I am trying to authenticate via the OAuth 2.1 authorizationCode flow from the official API Explorer:

https://developers.soundcloud.com/docs/api/explorer/open-api

However, the authorization never completes, and I cannot call any endpoints that require user authentication.

What is happening

• In the API Explorer I select the oAuth2_1 (OAuth2, authorizationCode) security scheme and enter my app’s client_id and client_secret, then click Authorize.

• A new browser tab opens with a URL like:

  https://secure.soundcloud.com/authorize?response_type=code&client_id=XXXX&redirect_uri=https%3A%2F%2Fdevelopers.soundcloud.com%2Fdocs%2Fapi%2Fexplorer%2Foauth2-redirect.html&state=...

• The page is completely blank. No login or consent UI appears, and the URL never changes; no code= parameter is added.

• In the browser developer tools console I see:

  POST https://api-auth.soundcloud.com/allow 403 (Forbidden)

• Because of this, the API Explorer never receives an authorization code or access token.

• When I go back to the API Explorer and use Try it out on endpoints that require auth (for example /me), the response is always 401 Unauthorized.

Note: Using the same app with the clientCredentials flow works; I can successfully obtain an access token and call public endpoints. The issue only occurs with the authorizationCode flow.

Steps to reproduce

1. Open https://developers.soundcloud.com/docs/api/explorer/open-api.

2. Click Authorize and select the oAuth2_1 (OAuth2, authorizationCode) security scheme.

3. Enter the client_id and client_secret of an app created under the account https://soundcloud.com/ie-so, then click Authorize.

4. A new tab opens with the https://secure.soundcloud.com/authorize?response_type=code&client_id=...&redirect_uri=https%3A%2F%2Fdevelopers.soundcloud.com%2Fdocs%2Fapi%2Fexplorer%2Foauth2-redirect.html&state=... URL.

5. Observe that the page stays blank and no login/consent UI appears.

6. Open the browser devtools Console on that tab and observe the error:

   POST https://api-auth.soundcloud.com/allow 403 (Forbidden)

7. Return to the API Explorer and call /me with Try it out; the response is 401 Unauthorized.

Expected behavior

• The /authorize page should display the SoundCloud login and consent UI.
• After successful login/consent, the OAuth 2.1 authorization code flow should complete, the API Explorer should receive an access token, and authorized endpoints such as /me should succeed instead of returning 401.

Environment

• Account: https://soundcloud.com/ie-so
• Browser: Chrome latest
• The issue reproduces consistently across browsers with extensions disabled.

[dpreussler]

Hi there
This usually happens when there is a mismatch in one the parameters (client id, secret, redirect)
Did you update your redirect on https://www.soundcloud.com/you/apps
to match https://developers.soundcloud.com/docs/api/explorer/oauth2-redirect.html as stated in the doc?