This is a bug I believe, and it took me 2-3 days to figure it out. Please do the following to get it working,

1) Remove the "?api-version=1.0" from your URL. I know it sounds strange but trust me their documentation is a mess.

2) Add a "Content-Type": "application/x-www-form-urlencoded" header in your request (hence you‘ll have to encode the post data values ... for example redirect_url=(encodedURL) etc

3) Remove unnecessary fields from post data REFER ... it should be like

{
    ‘grant_type‘: "authorization_code",
    ‘resource‘: "your resource",
    ‘client_id‘: "your client Id",
    ‘redirect_uri‘: "your redirect URL",
    ‘client_secret‘: "your client secret",
    ‘code‘: "the code u got
 
"
}

I see you have done point 2 so you‘ll need to do point 1 and you‘re good to go.

Furthermore, if you want to get access_token quickly(if nothing I said works for you), then pass "client_credentials" in grant_type and you‘ll get a smaller response with access_token. But if you want the complete response with refresh_token as well, you‘ll have to do all those steps.

EDIT: There is one more mistake in their documentation, for Refresh Tokens >>> the URL should be oauth2/token and NOT oauth2/authorize

This is a bug I believe, and it took me 2-3 days to figure it out. Please do the following to get it working,