Access Token 401 Error - "Unable to authenticate username and password"


I’m developing an integration for Infusionsoft but I am struggling with the process of getting an access token.

I have been able to generate the URL to start the OAuth 2.0 flow. Using the URL brings me to
the user permission screen asking for access with the “Allow” and “Deny” prompt for my sandbox developer account.

I click “Allow” and the system takes the code returned and makes a POST API call with the following components:
url = ‘
headers = {
‘Content-Type’ : ‘application/x-www-form-urlencoded’
params = {
“client_id” : ‘xxxxxxxx’,
“client_secret” : ‘xxxxxxx’,
“code”: xxxx,
“grant_type” : “authorization_code”,
“redirect_uri” : ‘my_redirect’,

However I keep getting a 401 Error back:
“message”:“Authentication call to Infusionsoft failed with code 401 Error was: b’\n {\n “error”: “invalid_grant”,\n “error_description”: “Unable to authenticate username and password”\n }\n '”}]

I assumed the username and password here was referring to the client ID and client secret. I have double checked them and they seem correct.

I have also made sure my redirect URL is the same in both steps of the OAuth 2.0 process.

It there something incorrectly configured in my sandbox account? What is happening here?


By any chance does your redirect_uri contain more than one query param?

No, my redirect URI contains no query parameters:

I have a video I created that attempts to clear up the common mistakes and/or mis-conceptions. I don’t know if it will apply to your situation but it’s possible :wink:

Give us your raw request headers and payload, but redact you secrets.

I have already basically posted the entirety of the headers/parameters I am using in my first post, but I will re-post it again.


There is no json payload or request body. The documentation states only parameters are needed.

I realized that I get this “401 Username/Password” error up no matter what my parameters or body are. I removed all parameters, added a body, and made many other changes. The error was always the same one. It’s quite frustrating to try and break the request and have the error message not even change…

I saw you first post with varaibles you were using and the reason I asked for the raw request is the exact issue you are having. The POST requires a body per spec. You can’t pass the values in as query params. Can you point me to the docs you found that state you can use query params so we can remedy them?

Ugh, such a silly mistake. Yeah… I think I became confused on this page: I interpreted “params” as query params at this page..

I suppose I should have read more into the content-type needing to be application/x-www-form-urlencoded.

I have done other OAuth 2.0 integrations and actually changed my code from using this exact method for some reason when I saw parameters there.

Thanks for your help. Switching the data over to key-value pairs in the body has solved the problem.