OAuth - Request for new token rejected

guyrbissonguyrbisson Member Posts: 6

I've read through your documentation and have implemented your specific requirements into my Lightspeed Retail Oauth Redirect Url lambda. I have confirmed that the client_id and client_secret are correct by logging into the https://cloud.lightspeedapp.com/oauth/update.php page.

I can initiate the process by visiting  https://us.lightspeedapp.com/oauth/authorize.php?response_type=code&client_id=2fe**********************************0&scope=employee:register_read+employee:inventory_read+employee:customers_read+employee:reports.

The redirect endpoint receives the correct response with a temporary code.  We recover the temporary code and post to the endpoint as per documentation as part of the following Axios request :

config: {

url: 'https://cloud.lightspeedapp.com/oauth/access_token.php',

method: 'post',

data: 'client_id=2fe*********************************0&client_secret=***********************&code=d9e24ef1e0e022c6bd2936a7109d24f97fd8f412&grant_type=authorization_code',

headers: {

Accept: 'application/json, text/plain, */*',

'Content-Type': 'multipart/form-data',

'User-Agent': 'axios/0.19.2',

'Content-Length': 229


transformRequest: [ [Function: transformRequest] ],

transformResponse: [ [Function: transformResponse] ],

timeout: 0,

adapter: [Function: httpAdapter],

xsrfCookieName: 'XSRF-TOKEN',

xsrfHeaderName: 'X-XSRF-TOKEN',

maxContentLength: -1,

validateStatus: [Function: validateStatus]


We are receiving 400 Bad Request with the following message in the body:

data: {

error: 'invalid_request',

error_description: 'The grant type was not specified in the request'


It appears to me that the grant_type is part of the multipart/form-data. What content-types does your endpoint support, what is the correct spelling for the grant_type key, what is the correct spelling for the grant_type options? Do you have logging on your end that you can share with me?

Best regards,


  • Adrian SamuelAdrian Samuel Moderator, Lightspeed Staff Posts: 627 moderator

    Hey @guyrbisson,

    Instead of a multi-part form, send the data in the request body and set the Content-Type in the headers to application/json

    Let me know how that goes :)

    Adrian Samuel

    Software Developer - Strategic Solutions

    Lightspeed HQ

  • guyrbissonguyrbisson Member Posts: 6

    I had tried that as well after reading through the discussion boards. No luck so I submitted this post. A log of my POST request from your server would certainly help clear up the confusion. Can you get me a copy? Thanks!

  • guyrbissonguyrbisson Member Posts: 6

    I'm also reading through the Axios discussion boards to see if there is a known issue. Most of the discussions there are around properly serializing of the json structure to match the Content-Type. It looks from my logs that this is being done correctly. I'm stumped since we've been using Axios for all of our REST requests with our other integrations.

  • guyrbissonguyrbisson Member Posts: 6

    I have resolved the issue. The transformation we were applying in the Axios function was converting all incoming data to a querystring. I extended the function to detect when 'Content-Type' was set to application/json and converted the data using JSON.stringify(). This worked and I was able to recover the token.

    Note: It may be time to update your documentation and remove references to multipart/form-data if what is truly required is a JSON object....

Sign In or Register to comment.