Postman & Monzo API


I’m trying to get a refresh token using the Monzo API and Postman but when trying to authenticate I get the ‘Monzo Security’ window pop up, and then after clicking ‘continue to login’, entering my email address and completing the email step, I just get taken to a blank Postman callback page.

Has anyone encountered this before?

I’m guessing here but i’m not sure whether the OAuth2 functionality provided by Postman (not really used it before) expects for the auth url to perform the navigation within the same window (i.e. within the popup window it expects it to do the navigation to the callback url). Obviously with Monzo you’ll get an e-mail that has the url in instead which is outside the context of that popup window.

1 Like

You can drag the URL from your web browser into the blank page and it’ll redirect (going from memory).

Jack, I could kiss you.

Thank you so much!

1 Like

Argh! My woes continue.

I’m now getting a 400 bad request when trying to refresh the token. The following is the response, using httpie.

HTTP/1.1 400 Bad Request

CF-RAY: 4f6f72905df9ce23-LHR

Connection: keep-alive

Content-Type: application/json

Date: Mon, 15 Jul 2019 23:17:02 GMT

Expect-CT: max-age=604800, report-uri=“

Server: cloudflare

Set-Cookie: __cfduid=dbe9d471cafbc29a20151cba8260fb50b1563232622; expires=Tue, 14-Jul-20 23:17:02 GMT; path=/;; HttpOnly

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Trace-Id: 93e63a61-5ca2-4af4-4f48-e63a78bef8fc

Transfer-Encoding: chunked

X-Content-Type-Options: nosniff

Normally if you get a 400 without any error in the response then it’s just a malformed request that is missing something. Normally people forgetting to set the correct grant_type or add the refresh_token key/value.

What does your request look like? It should be (using httpie):

http --form grant_type=refresh_token client_id=<client_id> client_secret=<client_secret> refresh_token=<refresh_token>

So using httpie I get…


"code" : “bad_request.could_not_authenticate”,

"error" : “invalid_request”,

"error_description" : “Could not authenticate with provided credentials”,

"message" : “Could not authenticate with provided credentials”


Not sure what I’m missing?

Either your client secret is invalid or you have a mismatch of credentials.

So firstly, check your client secret is valid.

Secondly, do you have multiple clients setup on the developer portal? If so, it may be that you’re using a valid client_id and client_secret however, they are not the same ones that were used from where the refresh_token was generated (when you exchanged your auth code for the access token).

1 Like