Hello everyone,
I have a Keycloak deployment running in a Kubernetes cluster with 2 pods in HA mode. Everything was working fine until one day we had one user that couldn’t login because of CODE_TO_TOKEN_ERROR. We tried everything from restarting the pods to clearing the browser cache, but nothing worked until we tried login to Keycloak using incognito mode. Magically, after we did that, all subsequent logins started to work normally (including non-incognito mode).
We know that the issue is gone, but we really want to know why it happened. It seems like Keycloak had some blocking data that prevented the authentication from happening, and the browser incognito mode freed that data.
Any input from the community on this case would be very appreciated. Thank you 
I would say Keycloak logs are your good friend. Filter errors, backtraces,… That error has very likely also description with more details. Blind guess: problem with infinispan cache/cluster. It looks like also you have a sticky session on the LB.
I have just had the same problem, after redeploying my application and trying to log in, requests to: /realms/<realm-name>/protocol/openid-connect/token return a 400 with the following error: {“error”:“invalid_grant”,“error_description”:“PKCE verification failed: Code mismatch”}
Additionally the logs:
2025-08-09 09:43:13,302 WARN [org.keycloak.events] (executor-thread-267) type="CODE_TO_TOKEN_ERROR", realmId="<redacted>", realmName="<redacted>", clientId="<redacted>", userId="<redacted>", sessionId="<redacted>", ipAddress="<redacted>", error="code_verifier_missing", reason="PKCE code verifier not specified", grant_type="authorization_code", code_id="<redacted>", client_auth_method="client-secret"
as jangaraj already mentioned it is probably some session info since using incognito mode or a different browser does not lead to the same issue…
So I was able to fix my issue. After comparing the request being made to /realms/<realm-name>/protocol/openid-connect/token i noticed that from the original browser (where the response was consistently the 400) the request didn’t contain a code_verifier, which obviously was the cause of the issue. Opening the Inspector and looking in the Session Storage, I found a code_verifier entry, which I then deleted. After that everything works fine again.
The question now is if this will happen again on the next application update or if it was specific to the changes I made to my application. Since the changes also included some authentication changes I suspect that its the latter but unfortunately I’m not knowledgeable enough to know for sure…
In any case I’m happy to provide more information if someone is interested in digging deeper into this issue.