Problems with accessing the REST API with an oauth2 access token

MichielF500MichielF500 Member Posts: 8

I've used the oauth2 method of requesting an access token, which works fine. However, when I try to make an actual REST call, I get {"description":"Invalid token"} as a response.

My cURL request looks like this:

curl -X GET -H 'Authorization: Bearer <oauth2 token here>' https://test.lightspeedapis.com/resto/rest/core/company/

What am I doing wrong?

16 comments

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 991 moderator

    Hi @MichielF500,

    Thank you for contacting us.

    What I think is that your access_token is expired. You'll need to get a new access_token using the refresh_token.

    More information can be found here: https://developers.lightspeedhq.com/resto-api/introduction/authentication/#refresh-token

    I hope this helps.

  • MichielF500MichielF500 Member Posts: 8

    @LucienVersendaal Thank you for responding so quickly.

    I just refreshed the token, got a new access token and immediately ran the request I mentioned in this thread with the new access token pasted into it but again got the {"description":"Invalid token"} response...

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 991 moderator

    Hi,

    Did you follow the steps from the documentation? https://developers.lightspeedhq.com/resto-api/introduction/authentication/

    I've also created a video of how to connect with Postman, https://drive.google.com/file/d/1pDvE27eFvSEwkdtzIGI4iH2WY_BaPUfF/view?usp=sharing Please keep in mind that I forgot to mention in the video to add the HEADERS. You'll need to add that.

    I hope this helps.

  • MichielF500MichielF500 Member Posts: 8

    Hello,

    Yes, I've used the documentation and was able to get an access token as well as a refresh token. And after that, I used cURL to check if everything is working, which turned out to not be the case ...

    However, I seem to be doing what you are doing in your Postman video. Same API URL and I also added the Authorization: Bearer-header (see my cURL example above).

    I will try the entire process from scratch with Postman now and see if I might have overlooked or missed something. And I will of course update my findings in this thread.

  • MichielF500MichielF500 Member Posts: 8

    Hello @LucienVersendaal ,

    I've tried the same path again, with no success. We can request an access token as well as a refresh token and use that refresh token to get a new access token. However, when we try to connect with the API, we still get the "invalid token" response.

    But: when I log into the account through your web interface, it says that the account has expired. Could this perhaps be the reason that we get an invalid token response? And if so, could you please re-activate our account?

    If this *is* the problem, it might be nice to update your API to not even allow the retrieval of the access token and give an error like "your account has expired" instead of returning an access and refresh token because this is quite confusing.

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 991 moderator

    Hi @MichielF500

    That could be the reason, can you provide me your accountID?

  • MichielF500MichielF500 Member Posts: 8

    @LucienVersendaal Do you want the mail address we use to log in? If so, could I perhaps send you an email with that information? I'm don't think my customer would agree to me sharing their email address on a public forum with regards to spam and the like.

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 991 moderator

    No, that isn't needed, I need your accountID and your URL when you're logged in to the backoffice:


  • MichielF500MichielF500 Member Posts: 8

    Hi @LucienVersendaal,

    Our account ID is 105581.

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 991 moderator

    Thanks,

    The account isn't expired anymore, can you try again?

  • MichielF500MichielF500 Member Posts: 8

    dear @LucienVersendaal,

    Thanks for re-activating the account. However, it did not fix the problem. I can still get an access token and refresh token but as soon as I try and query the API, I get:

    {

    "description": "Invalid token"

    }

    I call this URL:

    test.lightspeedapis.com/resto/rest/core/company (can't add the https protocol as the result will be added into this message)

    And I send along an authorization header which looks like this:

    Authorization: Bearer <freshly generated auth key>

    I've tried this process over and over, had somebody else look at it and we can only conclude that we're not doing anything wrong... Do you have any ideas left?

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 991 moderator

    Hi @MichielF500,

    That is super weird.

    The only thing I can think of is that there is something wrong with the code_verifier and code challenge, can you try to create a new code_challenge and verifier? Here you can get a new set of it https://developer.pingidentity.com/en/tools/pkce-code-generator.html

    Please let me know.

  • MichielF500MichielF500 Member Posts: 8

    Dear @LucienVersendaal,

    I don't think the problem is with the code verifier as the steps in which the code verifier is actually needed, work properly. We get a working auth-code and refresh code. The requests to the API only use the bearer header and that is where the problems occur.

    Would you perhaps be up for a session in which I share my screen and go through the process so you might be able to spot the problem?

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 991 moderator

    Hi @MichielF500,

    Sure! I'll send you a DM.

  • DesertRatGamesDesertRatGames Member Posts: 2

    Anything come of this - I think I'm experiencing the same thing. Using the refresh token seems to be working, it's either returning the existing auth code if not expired, or returning a new one if it is. But that auth code DOESN'T WORK.

    Any attempt to use it returns {"httpCode":"401","httpMessage":"Unauthorized","message":"Invalid access token.","errorClass":"AuthException"}

  • Ali_MasoumieAli_Masoumie Moderator, Lightspeed Staff Posts: 340 moderator

    Hi @DesertRatGames,

    Are you sure you are replacing the token with the new one in your headers when doing a request? Because from the error message, it seems like you are using the wrong access_token.

    If you could send us some more details, that would be helpful. You can also send me a pm if you do not want to share sensitive information here.

Sign In or Register to comment.