"Invalid client" if I try to get access token

If I try to get my access_token, I always get back:


Here is the call to Infusion api (I use NodeJS and node-fetch):

   fetch(if_token_url, {
    method : 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    body: {
      'client_id' : if_client_id,
      'client_secret' : if_client_secret,
      'code' : if_tmp_code,
      'grant_type' : 'authorization_code',
      'redirect_uri' : redirect_uri
  .then((api_response) => {
    return api_response.text();
  .then((api_response_text) => {
  .catch((api_err) => {

I’ve browsed through this forum and ruled out these possible reasons for the error:

  • redirect_uri is the same for first “authorize” request (which works; I get back the temporary code) and the actual “access token” request (which fails with above error)
  • I send it as ‘application/x-www-form-urlencoded’

However, I also noticed this:

I would double check that the redirect_uri matches what you registered with in the developer portal

I have no idea where I could register my redirect URI in the developer portal.

Any tips?

Just to double-check (per docs), can you verify that:

if_token_url = “https://api.infusionsoft.com/token
if_client_id = “your_registered_clientid”
if_client_secret = “your_registered_clientsecret”
if_tmp_code = “string_posted_to_your_endpoint_when_user_is_redirected_back_to_you_via_browser”
redirect_uri = “your_endpoint_to_receive_authcode_above”

1 Like

Hi Tom,

thx for your reply. Much appreciated.

I can verify all of the parameters are filled with the values defined in your request.

“if_token_url” → is ‘https://api.infusionsoft.com/token’.
“if_client_id” and “if_client_secret” → are from the ‘https://keys.developer.infusionsoft.com/apps/mykeys’:


“if_tmp_code” → is the “code” URL parameter value grabbed from the URL after redirected back to my app (after Infusion completed step “Request Permission”).

“redirect_uri” → is the same URL we just where redirected to from Infusion (after Infusion completed step “Request Permission”) - without the url parameters (e.g. “code” or “scope”).

What do you think about this?:

I would double check that the redirect_uri matches what you registered with in the developer portal

Is this advice outdated?
If no: Could you point me where I need to “register” the redirect url in the dev administration app?

Thanks a lot!

Another idea in addition to my last response above:

I have three apps created in https://keys.developer.infusionsoft.com/apps/myapps.

  1. (two years old) is heavily used (accessed via Infusion-PHP-SDK).
  2. (two years old) is occasionally used (accessed via Infusion-PHP-SDK).
  3. (new one, which I plan to use to replace the two above ones; use NodeJS) is in “waiting” state for two weeks now (see here).

Long story short, I couldn’t afford to delay development of my newest api wrapper until the third app is approved by Infusion, so I decided to access, for the time being, the second app.

Question: May this be the reason of my troubles? Is it ok to request an access_token with “Infusion-External-App-B” if there is already an access_token for “Infusion-External-App-A” for one “Infusion-Internal-App-Registration”?

I hope I could express myself :sweat_smile:


The redirect URI is the callback URL specified during Application creation at https://keys.developer.infusionsoft.com :

If you’re reusing an existing Application key, you’ll need to proxy the callback through that to your new app, but you would then be reusing quota from the first one.

Aha! Thx for that.

I changed it to match my redirect URI but I still get “invalid_client” back…

I’m going crazy over here :crazy_face:

Any additional ideas?

What is the exact response code you get (a 401 or a 403). Also what are headers you get back in the response (interested in the X-Mashery-* ones)

Hi Bradley,

thx for attending!

Here is the response I get:


I will not embarrass myself by trying to make sense out of it.


This error will result from an app in mashery that has not yet been set active but is still in a pending status. Check mashery to be sure but that’s one of the most common reasons for the message.

Hi John,

the app in question is not “pending” but active for two years now.


Sorry for the delay in getting back to you. This is caused by your client_id not being active. So either either the client_id has been deleted or is in a waiting state. Hope this helps. Also I would check to make sure you are using the right client_id.

1 Like

Hi there? I face the same problem, I keep getting invalid_client, everything seem correct, yet still getting the error invalid_client. When I check on my return header I got this:

WWW-Authenticate →Basic realm=“api.infusionsoft.com

X-Error-Detail-Header →Account Inactive

X-Mashery-Error-Code →ERR_403_DEVELOPER_INACTIVE

X-Mashery-Responder →prod-j-worker-us-west-1c-12.mashery.com

My developer account is Active as I login my account to check the status.

What’s is wrong? Has been spending many hours to salve the issue, but couldn’t get out of it.

Please help! Thank you!


You will need to provide what your request looks like url, payload, header, etc so we can help. Mask you client_secret and any authorization code though, because that is sensitive data.

I’ve just registered a new sandbox app the same story happened with me here. Nothing from this thread helps :frowning: