400 error status when exchanging authorization code

zeKoko · 14 November 2019 14:59

Hey all, I am trying to retrieve an authorisation code as per the docs: https://docs.monzo.com/#acquire-an-access-token

I have all the data required to make the request, but am struggling with how to arrange that data in the fetch:

This is what I have so far (as part of a React app):

if (state_token === state) {
      // state matches - retrieve the access token from monzo
      const formData = {
        grant_type: "authorization_code",
        client_id: client_id,
        client_secret: client_secret,
        redirect_uri: authorised_redirect_uri,
        code: authorization_code
      };

      axios
        .post(`${config.monzo.base}/oauth2/token`, formData)
        .then(response => {
          console.log(response);
        })
        .then(data => console.log(data))
        .catch(function(error) {
          console.log(error);
        });
    }

However, this is resulting in a 400 status error. I’m not sure what I’m doing wrong. Any pointers?

Thanks in advance.

timmw · 29 November 2019 13:21

Hi @zeKoko

The token endpoint requires the post body to be in a query string format but by default axios converts the data object to JSON.

Try this:

...
const formData = new URLSearchParams();
formData.set("grant_type", "authorization_code");
formData.set("client_id", client_id);
formData.set("client_secret", client_secret);
formData.set("redirect_uri", authorised_redirect_uri);
formData.set("code", authorization_code);

axios
    .post(`${config.monzo.base}/oauth2/token`, formData.toString())
...

jcarey5225 · 14 June 2020 14:41

I know this is an old post but I’m losing my mind trying to get this to work. I tried @timmw’s solution and still get a 400 error code.

@zeKoko, did you manage to get this working with axios?

mrjd · 20 June 2020 15:21

I’d check the docs around the call to that endpoint. It looks like grant_type should be set to refresh_token (see here: https://docs.monzo.com/#refreshing-access).

Also, and I’m not sure if it helps or not, there’s mention in the docs about the fact that: “Only “confidential” clients are issued refresh tokens – “public” clients must ask the user to re-authenticate.”

You’ll specify that when you make a new OAuth client in the developers playground.

Feathers · 17 December 2020 15:21

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.