Authentication trouble

I am trying to POST to the following and get 400 Bad Request:


with “Authorization: Basic BASE64AUTHSTRING”.

I seem to be following instructions carefully - but are they up to date? Why am I getting 400?

Many thanks!

Hi @urunotao ,

Ewa here from the Engineering Team at FreeAgent — thanks for your message on our forum and I’ll do my best to help out.

So that I can locate your requests in our logs, and hopefully spot the problem, could I ask that you provide some additional information from the list below?

The name of your app (as registered in Dev Dashboard)
Timestamps of your requests (in UTC)
The IP(s) from which your requests are being sent
Which environment are you querying? (production or sandbox)?

One thing to bear in mind is that the authorization code which you receive in the redirect URL after a user approves your app is only valid for 15 minutes, so it will have to be exchanged for an access and refresh tokens within that timeframe. Other than that, as long as you pass the redirect_uri which you registered on Dev Dashboard, correct code and grant_type=authorization_code in your request body, and your client ID and secret in the Authorization header, things should work as expected; you can test this process using our Quick Start Guide and the Google OAuth 2.0 Playground.

Best wishes,


Hi Ewa, thank you very much for getting back to me :slight_smile:

X-Request-Id: f930f0b7db0970cf57cb0b35df418988
Date: Sun, 24 May 2020 20:23:31 GMT
X-Rev: 65603f7912abfce15336b44bfbeda839f596b0c9
Env: prod

Can I PM you the app details/IP?

Many thanks! :pray:

Hi @urunotao,

I’ve just sent you a private message :slight_smile:

Best wishes,


1 Like

Hey @Ewa_Lipinska i am having trouble doing oAuth even after following all the steps given in the documentation.
step1: get the code from freeagent after redirect (completed)
step2: exchange the code with freagent api to get access_token (error)

this is the curl request for the step2: -

curl ‘
-H ‘authority:
-H ‘sec-ch-ua: " Not A;Brand";v=“99”, “Chromium”;v=“98”, “Google Chrome”;v=“98”’
-H ‘accept: application/json, text/plain, /
-H ‘content-type: application/json’
-H ‘authorization: Basic SFp3ZUpDVVNBVlNrTzYtemxqRW81QTpuQUJTbTctTTI4Q2RHTDBXZmhKWXNn’
-H ‘sec-ch-ua-mobile: ?0’
-H ‘user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36’
-H ‘sec-ch-ua-platform: “Windows”’
-H ‘sec-fetch-site: cross-site’
-H ‘sec-fetch-mode: cors’
-H ‘sec-fetch-dest: empty’
-H ‘accept-language: en-US,en;q=0.9’
–data-raw ‘“code=1QIoY8O0FVGkSdITZVO0JyX8jkBz2vjGQlgLnH6Ge&grant_type=authorization_code&redirect_uri=http%253A%252F%252Flocalhost%253A3000%252Fredirect”’

this is the exact error from the api:-

PS : - have removed the referer header (-H 'referer:) & origin header (-H 'origin:) from the request as new users can only embed 2 links


Hi @Bhavesh_Shrivastav :wave: Welcome to the FreeAgent API forum! I’m Adam and I’m on the Engineering team at FreeAgent.

Looking at the request you’re sending, I wonder if the issue is that you have the header ‘content-type: application/json’ but the data you’re sending is in the format: --data-raw ‘“code=CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI”’. Could you try sending the request body as JSON i.e. -d ‘{“code”: “CODE”, “grant_type”: “authorization_code”, “redirect_uri”: “REDIRECT_URI”}’?

As an aside, on a security note, one other thing to say is I would strongly recommend refreshing your client ID and secret that you’ve posted encoded in your authorization header. On a public forum like this, anyone could decode them from the Base64 encoded header you’ve sent and then send requests to us appearing as you. You should be able to get new tokens by going into your app on the FreeAgent Developer Dashboard and clicking “Regenerate tokens”. If you ever wanted to post details of API requests on the forum again in future, please be sure to leave out any sensitive information. If we needed to know any further details you wouldn’t want to share on a public forum (e.g. to help search our logs) we can always ask you to send a private message.

Please let me know how you get on with the above, and if you have any questions at all, please don’t hesitate to ask.

Kind regards,