This looks like front end code XMLHttpRequest you shouldn’t be doing this sort of call in front end code as you end up leaking your secret.
This header is not needed, it only applies to calling Kraken, oAuth flow is not kraken.
You are trying to do an oAuth flow in the front end that you shouldn’t be doing as you leak your secret to the world.
As to your actual problem, not sure it looks correct, check that data contains what you expect it to contain. Or construct your URL to use query string parameters isntead of .send(data); additionally check that SECRET is actually populate.