Getting access token


I’m trying to fetch an access token using the API through curl (in PHP).
I’ve been able to get the access code just fine but when I try to use this to fetch an access token I get a 401, HTTP Basic: Access denied response.

Am finding it difficult from the documentation to work out how should be sending the Client Secret and Client Id.
I have tried posting this as a CURLOPT_USERPWD header, and as both authentication basic and bearer headers (with id:secret base64 encoded and without) but still getting the same error.

Any guidance on how to debug the above would be much appreciated!



Hi Cole,

It’s been a while since I’ve delved into PHP, but with my rusty memories and Google’s help I’ve come up with this code snippet which I’ve verified works on our development stack.

  // See for more details

  // Client ID and Secret for your application at
  $client_id = "...";
  $client_secret = "...";

  // Auth token as provided by the FreeAgent API's Authorization Request
  $auth_token = "...";

  // Redirect URI. *Must* match that passed in to the API in the Authorization Request
  $redirect_uri = "...";

  // Access Token request URL
  $endpoint = "${auth_token}&redirect_uri=${redirect_uri}";

  $process = curl_init($endpoint);
  curl_setopt($process, CURLOPT_HTTPHEADER, array('Content-Type: application/json', 'Accept: application/json', 'Content-length: 0'));
  curl_setopt($process, CURLOPT_HEADER, 1);
  curl_setopt($process, CURLOPT_USERPWD, $client_id . ":" . $client_secret);
  curl_setopt($process, CURLOPT_TIMEOUT, 30);
  curl_setopt($process, CURLOPT_POST, true);
  curl_setopt($process, CURLOPT_RETURNTRANSFER, TRUE);
  $result = curl_exec($process);


From your question it does seem like you’ve got or tried this already, so hopefully it’s just a minor tweak somwhere.

Hope that helps, let me know if not and we’ll have another look.


Hi again,

As a follow up to this I’ve just spotted that if the same auth token is reused then subsequent requests return a 401 Unauthorized / HTTP Basic: Access denied response.

It’s important to note that each auth token can only be used once to exchange for an access token and refresh token, after which it is invalidated.

I’ve had a look at the OAuth spec, and it seems we should be returning a 400 invalid_grant response there, so I’ll add that to our backlog of work. If nothing else it will make the response less confusing.


Thanks Paul

Tried with the same details you have used but now getting a 400: Bad Request `{“error”:“invalid_grant”} response.
This sounds like this is an issue with the auth token used but am regenerating before testing.

Any thoughts?


Hussah - think have fixed. Hadn’t appreciated that the Redirect URI had to be same for both requests which seems to have resolved the issue.

Many thanks for your help!

Ho worries.

The OAuth flow does seem to take some getting your head around and we’re trying to work out a better way to document and illustrate it to make it easier for users to access our API. As ever, watch this space… :slight_smile:


Hi Paul,
I run your script with my details and got this:
Any ideas?

Sorry- that was the wrong image, here’s the result I get when not exceeding the request/minute limit: