On the server side, using a fresh code and state from the authorization endpoint, and am providing the following request to the fitbit api:

URL: https://api.fitbit.com/oauth2/token
METHOD: POST

BODY: client_id=22BZGP&code=eee45fb8d6e63478f9884f649485f4ea084250be&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fauth.expo.io%2F%40krajiyah%2FRPG-IRL

HEADERS: 

  - Authorization: Basic base64(client_id:client_secret)
  - Content-Type:  application/x-www-form-urlencoded

The response I get back from you guys is this (the status code is 400):

{\"errors\":[{\"errorType\":\"invalid_grant\",\"message\":\"Authorization code verifier invalid: null Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process.\"}],\"success\":false}

I have double checked my client_Id:client_secret base64 header and it looks right to me (got through this error already, so think this part is working fine)

My server is a golang server hosted on Heroku (but this should not matter in an ideal world)