Low severityauthentication
Power BI Error:
AADSTS501481
What does this error mean?
PKCE validation failed — the code_verifier sent on token exchange doesn't match the code_challenge from the authorization request.
Common causes
- 1The client generated a new code_verifier between the /authorize and /token requests instead of persisting the original one (e.g. lost from session/localStorage, page reload, multiple tabs).
- 2code_challenge_method mismatch — the authorization request used S256 but the token request sent a verifier that was hashed differently, or vice versa with 'plain'.
- 3Incorrect S256 transformation: the code_challenge was not BASE64URL(SHA256(code_verifier)) without padding, or extra encoding/whitespace was applied.
- 4The authorization code is being replayed or exchanged by a different client instance than the one that initiated the flow (verifier from instance A used with code from instance B).
- 5Two concurrent sign-in attempts overwrote each other's stored code_verifier before the redirect callback completed.
How to fix it
- 1Persist the code_verifier in the same browser session/storage that originated the /authorize request and read exactly that value back when calling /token — do not regenerate.
- 2Verify the transform: code_challenge must equal BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) with padding stripped, and code_challenge_method must be 'S256' on both ends (Microsoft Entra ID requires S256 for confidential and SPA flows).
- 3Check that the code_verifier is 43–128 characters from the unreserved set [A-Z a-z 0-9 -._~] — trim whitespace and avoid URL-encoding it.
- 4If you use MSAL.js / MSAL.NET, upgrade to the latest version and let the library handle PKCE end-to-end instead of mixing manual logic; clear cached interaction state (sessionStorage keys 'msal.*') and retry.
- 5Disable concurrent/duplicate sign-in initiations (e.g. double-clicked login button, multiple tabs starting auth simultaneously) so a second /authorize call doesn't overwrite the stored verifier of the first.