Trying to get the auth code from signin.infusionsoft url

I’m trying to authenticate in Keap to get the code and I’m trying in Ruby on Rails like this:

def oauth_url(redirect_uri)
    params = {
      client_id: id,
      redirect_uri: redirect_uri,
      response_type: :code,
    '' + params.to_query

The response is 403 forbidden and the logs say:
Processing by V1::KeapController#oauth as HTML
Parameters: {“keap”=>{}}
Redirected to
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 164)

Is the localhost redirect_uri an issue? I can’t find documentation about this, even the url came from other app because I can’t find anything here explaining that basic part.

Our system is Ruby on Rails and runs OAuth2 for Keap (we are a SaaS listed on the Keap Marketplace). Here’s the guys who built it. They already have all the code you need (routes, model, controller, views), and it all works.

Good afternoon Diego!

You can find our OAuth2 documentation here: Getting Started with OAuth2 - Keap Developer Portal

Unfortunately I’m not familiar with Ruby, so I can’t really do much to help with the code directly, but I can at least add some explanation to the technical specifications.

An end user of your application typically requests a page, often via a button with something like “Sign In with Keap”. Your application then redirects them to our Accounts service with your Client Id to identify the request. The end user chooses the tenant they wish to grant access to, and are then redirected to your specified redirect URL with a POST that contains an Authorization Code. You may then render them a view showing that authorization was successful, etc.

At that point you can take that Authorization Code, your Client Id and Client Secret and perform a Token Request, which returns an Access Token (24h) and a Refresh Token (45d). Each time you need a new Access Token you will submit that Refresh Token for a Refresh Request, which will return a new Access Token and Refresh Token pair that you can persist.

Once you have an Access Token (or regenerate one via making a Refresh Request) you can use that as a Bearer Token in the Authorization Header of a call to our Keap APIs.

Well, that guide doesn’t explain that much. For example, it doesn’t have anything related to the signin.infusionsoft URL. I tried to hit that URL in those docs but same result. So, since the sign-in URL is nowhere, maybe I should focus on that account’s URL that you mention I should be redirecting to.

If I’m right, that is the URL of your Accounts service.