Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Help with refreshing expired access token in OAuth 2.0

Started by Matthew Freire -   in API Authentication

Hello

I am querying the Xero API with the Python requests library and am using OAuth 2.0. When trying to refresh the access token when it has expired, I am getting the following response:

{'error': 'invalid_grant'}

This is the code I am using to refresh the token:

import base64
import requests

def refresh_xero_token(refresh_token):
basic_token = base64.urlsafe_b64encode(f"{CLIENT_ID}:{CLIENT_SECRET}".encode()).decode()
headers = {
'Authorization': f"Basic {basic_token}",
'content-Type': "application/x-www-form-urlencoded",
}
data = {
'grant_type': 'refresh_token',
'refresh_token': refresh_token
}
res = requests.post(XERO_REFRESH_URL, headers=headers, data=data)
return res.json()

Any help would be appreciated.
Hi Matthew,

Code-wise, your header names and form data property names look fine.

One thing to note - at the moment, the response for an access token refresh request includes a new refresh token, and invalidates the old one. If you retain the old one and try to use it on your next refresh request, you'll get an invalid_grant message. Is it possible this is what is happening for you?

(Note we expect to be change this behaviour in an upcoming release as the result of feedback from this beta; at some point in the future, refresh requests will not return a new refresh token and the old refresh token will remain active.)

Cheers,

Russell
 

Russell Dear (Xero Staff)  

Hi Russel

Thank you for the reply. I believe this was the issue.

Regards

Matthew
 

Matthew Freire  

Great - glad it helped!

Cheers,

Russell
 

Russell Dear (Xero Staff)  

Russell, what is the plan for the beta's full release? We're evaluating making a contribution to Singer's Xero tap to make it use OAuth2 (https://github.com/singer-io/tap-xero), but we'd like to know about issues like the one you mention here w/r/t stability of how it uses things like tokens. Do you have a planned release date? Do you have a backlog of breaking changes that you're intending to make?
 

Mike Furino