Invalid response when calling refresh token

API Q&A
1

Hi, I am getting the following error when trying to call refresh token to refresh an access token.

Here is the error message I am getting:

    HTTP/1.1 400 Bad Request\r\n"
-> "Cache-Control: no-store\r\n"
-> "Content-Type: application/json;charset=UTF-8\r\n"
-> "Date: Sat, 02 Feb 2019 08:21:10 GMT\r\n"
-> "Pragma: no-cache\r\n"
-> "Server: Mashery Proxy\r\n"
-> "X-Mashery-Error-Code: ERR_400_BAD_REQUEST\r\n"
-> "X-Mashery-Responder: prod-j-worker-us-west-1c-10.mashery.com\r\n"
-> "Content-Length: 69\r\n"
-> "Connection: Close\r\n"

"{\"error\":\"invalid_grant\",\"error_description\":\"Invalid refresh token\"}"

I noticed that this is happening while trying to call for refresh an access token in second time.

I really don’t understand what went wrong. Please advise!

2

Refresh tokens are single use. When you use it the first time you will get a token response with the new access token as well as a new refresh token. Hope that helps!

3

Hi, I do get the new access token and refresh token for the first time I call the API to request for new token.

However, I am getting 400 bad request when the new token (first time) is expired and I tried to request for second time and getting the error response (see above). I am not too sure what was the issue over here.

4

Call you post the refresh token request body and take out sensitive information like access/refresh tokens. The post to refresh should look something like this:

POST /token HTTP/1.1
Host: api.infusionsoft.com
Content-Type: application/x-www-form-urlencoded
 
grant_type=refresh_token
&refresh_token=xxxxxxxxxxx
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

The client_id and client_secret can also be sent as basic auth header instead of in the body if you prefer.

However the error response thinks you have already used this refresh token. Seems like you are in test mode still, but in larger systems I have seen threading problems cause this. One thread attempts the refresh and is successful, and at the same same a different thread attempts the refresh using the same refresh token put fails because the other thread beat them to it.

5

Brad,
I am having similar issue, I tried your suggestion and tried to send as following request using Postman. I am getting an invalid_client, please help. I have double checked client id, secret and refresh token I have used.

POST /token?grant_type=refresh_token& refresh_token=xxxxxxxxxxxxxxxxxxxx& client_id=xxxxxxxxxxxxxxx& client_secret=xxxxxxxxxx HTTP/1.1
Host: api.infusionsoft.com
content-type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: xxxxxxxxxxxxxx

6

Let me know your solution for this issue.

7

Super sorry for not seeing this earlier. Are you still having the issue?

8

Hi @bradb, I’m testing this refresh token process with a sandbox account, I have the same issue "Invalid refresh token". My steps are:

  1. Get the permission for the app and get the authorization_code
  2. Get a new access_token with the API, this also returned me the refresh_token
  3. I try to the refresh token with the API, passing the refresh token (of step 2), and boom! the issue happen

I’m doing the step 3 just 1 or 2 minutos after the step 2, question: Is there a time lapse to refresh token? I mean, we are necessary refresh token 3 (or less) hours before token expired?

Thanks!