Is basic authentication really needed when exchanging auth token for access token?

You can use basic authentication: setting the client_id and client_secret
as the username and password when requesting a token, or you can pass the
client_id and client_secret as POST parameters when making the request.
Passing them as POST params is what the Google OAuth Sandbox does.

Kind regards,

GraemeOn 2 October 2012 15:59, chrisb wrote:

The docs suggest you need to use basic authentication when exchanging the
authorization token for an access token.

The Access Token Request

The App must exchange the Authorisation Token for an Access Token and a
Refresh Token. To do this, the app makes an HTTP Basic Auth POST to the
FreeAgent Token Endpoint using
the Client ID as the username and Client Secret as the password and
including the following in the POST body:

However, this seems to work fine for me if I make the POST without setting
basic auth details.

You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To view this discussion on the web visit
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Graeme Boyd
Senior Software Engineer

Web. Blog.
Twitter. @freeagent!/freeagent Facebook.

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774