Getting "Invalid Access Token' when trying to access the user profile

Jump to solution
MarkClaassen
Community Member

I am following the OAUTH flow, getting the code, then using that to get an access token.  However, the access token I get back does not work.  I have a feeling I am doing something wrong here, but am unclear what.  I have looked for other similar issues and can't quite find what I am looking for.

I am not sending any scopes in the login request.  When I get the code, I use it to get a token:

request {
  grant_type: 'authorization_code',
  client_id: '*****',
  client_secret: '*****',
  redirect_uri: '*****',
  code: '*****'
}

response {
  access_token: '**ACCESS TOKEN**',
  token_type: 'Bearer',
  user: {
    id: 2,
    name: 'Example Student',
    global_id: '*****',
    effective_locale: 'en'
  },
  refresh_token: '*****',
  expires_in: 3600
}

 

Then, I do another request, putting in the HTTP Header:

Authorization: 'Bearer **ACCESS TOKEN**'


I always get:
Error: failed [401] {"errors":[{"message":"Invalid access token."}]}

I created an access token from the development dashboard, and the API request works with that token (which is the same format as the one I get back in the OAUTH flow).


But that seems to defeat part of the purpose. It seems I would want to make the API calls as the user who is logged in, and not using my developer token.

Any guidance on what I am doing incorrectly would be greatly appreciated!

Labels (1)
0 Likes
1 Solution

Thanks for the reply!  The quotes were an artifact of how copying the information for my post and were not part of the actual header.  I should have been more careful when I made my post.

I also wrote to support and they were able to determine (from the logs) that I had the 'Test Cluster Only' setting enabled on my developer key.  I had not read into the environments that are included in the system.

https://community.canvaslms.com/t5/Canvas-Releases/What-is-the-Canvas-release-schedule-for-beta-prod...

All I needed to do was to either turn that setting off, or change my test code to access <domain>.test.instructure.com, instead of <domain>.instructure.com.

Again, thanks for the reply.  If the quotes had actually been part of my header, that would definitely have been a problem.

View solution in original post