Cannot retrieve my Access Token

Following the instructions in the documentation (the part sme for REST or XLM-RPC) I am using this command to retrieve my Access Token (I have successfully connected to my Developer App in IS and retrieved my code):
form action=“” method=“post”>
input type=“text” name=“client_id” id=“client_id” value=“MYID”>
input type=“text” name=“client_secret” ID=“client_secret” value=“MYSECRET”>
input type=“text” ID=“code” name=“code” value=“<? echo $_GET["code"]?>”>
input type=“text” name=“grant_type” value=“authorization_code”>
input type=“text” name=“redirect_uri2” id=“redirect_uri2” value=“MYURL”>
input type=“submit” name=“submit” id=“submit” value=“Submit”>

What I get is either a {error: 403} forbidden error)

IF I change the method from post to get (It clearly states it has to be post) I get an XML error:596 Service Not Found

I feel like I’m missing something simple.

Would appreciate some help.


provide a link to what docs you’re talking about because that doesn’t look like any documentation I’ve seen. Also, if you’re trying to get an access token then you’re using the wrong endpoint…let’s start with what docs you’re drawing off of though.

Great question. Here are the instructions under XML-RPC:

And here are directions that are virtually the same for REST:!/Authentication/permission

Once you get the access token REST and XML-RPC use different queries, but to get the access token they are apparently the same.


Example code can be found here:

Thanks John. Those are great examples. My problem starts before that though - I cannot get an access token and I don’t know why. I get a 403 forbidden error. Infusionsoft has been helpful, but so far we’re all scratching our heads as to what the problem is.

You’ve setup your mashery account and have your client secret and password and the account shows as ‘active’, correct?

Yes, that’s correct. And I get through the first phase with no errors or problem. I receive the code I need to get the Access Token.

But when I request that token, I get a 403 error on IS’ side

Out of curiosity, is the Redirect URL setup in your Application Account, and is working all okay?

Is it a valid URL Address?

I noticed you have a “redirect_uri2” in your Form, what does the “2” mean here?

1 Like

Good catch on the redirect_uri2, Pav. I fixed that (to redirect_uri) after I posted the code.
Great point about the Redirect URL setup in my application account. It was NOT exactly the same as the value I was putting in the uri field. However, now when I try to retrieve my code (and sign in to get permission) instead it just signs me in to Infusionsoft- not as a developer but as a user.

I feel that I’m going backwards here. Signing in with my user credentials was how it authorized my code before, but trying it at that step with my developer credentials, now I get an error page:
his site can’t be reached

The webpage at might be temporarily down or it may have moved permanently to a new web address.

So this is all pretty frustrating!

Any additional insights would be greatly appreciated.

Okay, I experimented in what you are trying to do, but I was also getting the same failure when doing a Form POST as well. Using cURL I was able to get the Access / Refresh Tokens as normal.

Here is a copy of the code I used. First part is the Authorization using a Form Element. Second part uses cURL to process the Access Code and get the Tokens. Once you have authorized, it will go back to the script, do the cURL and return the Tokens.

Fill in the variables at the top for your application. You will need to deal in storing the Tokens, as the Access Token lasts for 24 hours, and the Refresh Token lasts for 6 months. You will need to refresh the Tokens after 24 hours. Some developers use Cron Jobs to refresh the tokens every 21 hours, or whatever you feel.

    $client_id = "XXX";           // YOUR CLIENT ID 
    $client_secret = "XXX";    // YOUR CLIENT SECRET
    $redirect_uri = "XXX";      // YOUR REDIRECT URL

        <h1>(1). Authorize</h1>
        <form action="" method="GET">

            <input type="text" name="client_id" id="client_id" value="<?php echo $client_id; ?>">          
            <input type="text" name="response_type" value="code">            
            <input type="text" name="scope" value="full"> 
            <input type="text" name="redirect_uri" id="redirect_uri" value="<?php echo $redirect_uri; ?>">
            <input type="submit" name="submit" id="submit" value="Submit">
        <h1>(2). Tokens</h1>

                // Setup the HTTP Header Content Type.
               $headers = array('Content-Type: application/x-www-form-urlencoded');               

               // Setup the Fields we are going to post.                
               $fields = array(
                   'client_id'     => $client_id,
                   'client_secret' => $client_secret,
                   'code'          => $_GET['code'],
                   'grant_type'    => 'authorization_code',
                   'redirect_uri'  => $redirect_uri

               // Setup cURL so that we can post the Authorization information.
               $ch = curl_init();   

               curl_setopt($ch, CURLOPT_URL,            "");        
               curl_setopt($ch, CURLOPT_HTTPHEADER,     $headers);
               curl_setopt($ch, CURLOPT_POST,           count($fields));
               curl_setopt($ch, CURLOPT_POSTFIELDS,     http_build_query($fields));
               curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

               // Execute cURL and get the result back.
               $result = curl_exec($ch);

               // Close the cURL connection.

               // Get and store the Tokens.
               $response = json_decode($result);   

Thanks so much for that, Pav. I don’t know why the POST stopped working, but GET works, and that’s what counts.

The code gave me no errors, so I assume it’s working the way it’s supposed to.

Thanks again, and great, clean code, by the way.

As long you got something back like the following below, then you can use the Access Token in the API Function calls.

stdClass Object ( [access_token] => abc123 [token_type] => bearer [expires_in] => 86400 [refresh_token] => abc123 [scope] => full| )

I have not used the form approach before, so not sure what the limitations are here.

Anyway, may sure you store and deal with the tokens accordingly. If they have both expired, then you will have to authorize again.

Thanks, that is the string I got, with the Access Token and refresh token. It’s a shame that the IS documentation is so incomplete, because it assumes a lot, and I don’t know where to take it from here.

Thanks again Pav, that worked like a charm

I want to follow up here on what happened with POST not working anymore. Per the OAuth 2.0 specification the Authorization request has to be a GET. It was working with a POST coincidentally due to how we bind data from the request. We recently updated some of our services that affect OAuth which included a move to a new domain for Account Central. We had our Load Balancer start to issue redirects to the new domain for all GET requests to the affected services. POSTs we obviously not redirected which was causing your issue. We are sorry for the inconvenience that it caused. Also on the documentation side of things we would love to hear where you struggled so we can improve the docs.

i’m confused so this is outdated then? it says to post!/Authentication/permission_0


The link you posted is for access tokens. The process @bradb is speaking about is for the authorization token.

1 Like

Thanks. This is the clearest example I’ve found to retrieve the access token.