How to get started with API Authentication

(Jacob Turley) #21

If I change the origin to facebook for example, which has an official cert(I would hope!) it still returns a 403, so I don’t think the cert has anything to do with it.

(Von Villafuerte) #22

Were you able to make the request token work?

(Von Villafuerte) #23

I am using the same code as Ben and I am aware that the authorization header should be added. I did that in the format “Basic {base64_username_password}”. I still got a 401. Is the username and password part the dev Key and Secret respectively?

(Bradley Booth) #24

Is your client_id active in the developer portal

(John Borelli) #25

Just to make certain, you are separating with a colon, correct?

(Von Villafuerte) #26

Hi @bradb yes it is active. Also, I tried my key and secret here and it works.

@John_Borelli yes the format before encoding and turning it into base64 is username:password. I also tried the code from Ben’s post that has the same format that you are asking and it doesn’t work.

What else am I missing?

(Bradley Booth) #27

Sorry for the delay in response, I am going back rereading this entire post. Are you getting the CORS error or something else? If you are getting a CORS error it is because we do not allow AJAX requests to get tokens. This has to be done outside a browser.

Accessing Contacts via REST from a service/daemon
(Von Villafuerte) #28

Hi Brad, no I’m not getting a CORS error. I’m trying to get an access token server-side using .NET code.

(Jon Smith) #29

@Von_Villafuerte Please correct me if I’m wrong but the base64 encode should be for the key:secret instead of a username and password. The Key and secret can be found in the developer center here:

I would like to make sure that we aren’t getting ahead of ourselves though. To confirm the user is clicking the “Allow” button which is returning an authorization code to your script and the script is then returning the code to get the access token and the refresh token? Calls using the Access token are working correctly it is just that the refresh of an access token isn’t working where a POST is made to with the header that looks like this:
Authorization: Basic xxxxxxxxxxxxxxxxx
Content-Type: application/x-www-form-urlencoded

and the request body sent like this:

Where “MyRefresh” is the most recent refresh token that was authored for the developer application per user per application.

(Von Villafuerte) #30

Hi Jon, yes I used key as the username and secret as the password. I think I mentioned that in the previous comment. Also, yes I was able to get an authorization code, from the flow you described (user got redirect to the allow access page, then redirects back to our application). I also tried with and without the Content-Type you stated and both did not work.

(John Borelli) #31

@Von_Villafuerte just checking… you’re looking in the post back body for tokens right. ie not the post header?

(Bradley Booth) #32

Can you get us the what the POST looks like (body and headers), as well as the response (body and headers).

(Himanshu Phirke) #33

I was getting ERR_403_CORS_ORIGIN_DENIED.
I had used CURL and it started working.

(Erik Rahman) #34


I had tried to get an Access Token using .NET like Ben did and got the same result i.e. it does not return a “code” back to the callback.
I also tried to get the Access Token using Postman and got the error message “invalid_client” whereas my API Keys status is active.

I request the Access Token to POST to with the following parameters:
client_id : ************************
client_secret : **********
grant_type : authorization_code
redirect_uri : http://localhost:2412/home/callback

What did I miss?


(Jon Smith) #35

Invalid client means that the client_id is incorrect. This could be because the client_id isn’t the same as what is found here:
It could also be because the authorization header is formed incorrectly or the client_id is being used incorrectly. I have also seen special characters like an = sign removed from the authorization header which causes this issue.

The redirect_uri could also be the cause of this if it isn’t URL encoded when passing it for both the redirect user step and the request access token step of the process.