For the Request Access Token (/oauth/token) It is not clear what the redirect_uri should be set to and that it has to match the Authorization Code request redirect_uri. Why is that even needed? The “code” that is returned should be a precise indicator of what access token is being requested, along with the Basic Authentication Header.
Also there is no information on what an error might look like when returned, it’s format, contents, data type, … Will a 400 error always return a json node?