Invalid PKCE code_verifier/code_challenge combination

Where does the bug appear (feature/product)?

Cursor CLI

Describe the Bug

Cursor is sending an invalid combination of code_verifier and code_challenge when performing an authorization_code flow with PKCE. Example:
code_challenge sent in the authorization request: dUCNylvyOV1FWwB1S598WZ_i2a8-DTRKkkFBRPZnA-Y
code_verifier sent in the access token request: Jvj2G4bj8p8e%7E0xHJ-KHQIXfTMNYPEmw%7EJdaDdojhET

echo -n "Jvj2G4bj8p8e%7E0xHJ-KHQIXfTMNYPEmw%7EJdaDdojhET" | sha256sum -b | xxd -p -r | base64 | tr '/+' '_-' | tr -d '='
4URMW0PuVd8fbyu12A1ztYRBM546gPKg7IvJiS98HC0

Steps to Reproduce

Just perform a normal oauth2 authorization code with PKCE request with cursor.

Expected Behavior

the code_verifier and code_challenge do no match.

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Version: 1.6.42 (Universal)
VSCode Version: 1.99.3
Commit: 5911e9593196a000b1c00553aaf03b0b32042b90
Date: 2025-09-20T17:16:56.346Z
Electron: 34.5.8
Chromium: 132.0.6834.210
Node.js: 20.19.1
V8: 13.2.152.41-electron.0
OS: Darwin arm64 24.6.0

Does this stop you from using Cursor

Yes - Cursor is unusable

Thanks for reporting this. To help diagnose the issue, could you clarify what specific action you were performing when this occurred, was it for cursor-agent login or something related to MCPs?

Can you also cursor-agent update and share your cursor-agent –-version please?

This topic was automatically closed 22 days after the last reply. New replies are no longer allowed.