Postman & Monzo API


I’m trying to get a refresh token using the Monzo API and Postman but when trying to authenticate I get the ‘Monzo Security’ window pop up, and then after clicking ‘continue to login’, entering my email address and completing the email step, I just get taken to a blank Postman callback page.

Has anyone encountered this before?

I’m guessing here but i’m not sure whether the OAuth2 functionality provided by Postman (not really used it before) expects for the auth url to perform the navigation within the same window (i.e. within the popup window it expects it to do the navigation to the callback url). Obviously with Monzo you’ll get an e-mail that has the url in instead which is outside the context of that popup window.


You can drag the URL from your web browser into the blank page and it’ll redirect (going from memory).

1 Like

Jack, I could kiss you.

Thank you so much!

1 Like

Argh! My woes continue.

I’m now getting a 400 bad request when trying to refresh the token. The following is the response, using httpie.

HTTP/1.1 400 Bad Request

CF-RAY: 4f6f72905df9ce23-LHR

Connection: keep-alive

Content-Type: application/json

Date: Mon, 15 Jul 2019 23:17:02 GMT

Expect-CT: max-age=604800, report-uri=“

Server: cloudflare

Set-Cookie: __cfduid=dbe9d471cafbc29a20151cba8260fb50b1563232622; expires=Tue, 14-Jul-20 23:17:02 GMT; path=/;; HttpOnly

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Trace-Id: 93e63a61-5ca2-4af4-4f48-e63a78bef8fc

Transfer-Encoding: chunked

X-Content-Type-Options: nosniff

Normally if you get a 400 without any error in the response then it’s just a malformed request that is missing something. Normally people forgetting to set the correct grant_type or add the refresh_token key/value.

What does your request look like? It should be (using httpie):

http --form grant_type=refresh_token client_id=<client_id> client_secret=<client_secret> refresh_token=<refresh_token>

1 Like

So using httpie I get…


“code” : “bad_request.could_not_authenticate”,

“error” : “invalid_request”,

“error_description” : “Could not authenticate with provided credentials”,

“message” : “Could not authenticate with provided credentials”


Not sure what I’m missing?

Either your client secret is invalid or you have a mismatch of credentials.

So firstly, check your client secret is valid.

Secondly, do you have multiple clients setup on the developer portal? If so, it may be that you’re using a valid client_id and client_secret however, they are not the same ones that were used from where the refresh_token was generated (when you exchanged your auth code for the access token).


Hi James,

I ended up creating a new OAuth client in the end, thanks for your help.


I can’t believe I’m posting here again, but the whole dragging the URL into Postman now does absolutely nothing!?!

I can’t get it to do anything, tried uninstalling, reinstalling, trying Postman Canary, still nothing. Aaaggghhh!

Does not work for me either. Ended up just copying the authorization code from the URL over into a variable…

Acquiring the access token is automatic afterwards. So should the refresh of the access token?

Tried on Windows and worked without issue.

Can you explain what you mean by ‘copying the authorization code from the URL over into a variable’ please?

I mainly use Insomnia at the moment, but I think Postman is similar.

It’s a two step process:

  1. Acquire the auth key

This step you seem to do already. Once you have the link in the email, copy out the value after “key=”. But without the optional “state=+”.

  1. Use environment variable in POST request for access token

In Postman you can use Environments. Set one up for Monzo and add a variable (e.g. auth_code) and copy over the code from step 1.
Now you can reference this variable as {{auth_code}} and use in your POST request for the access_token.

If it helps, I have a Monzo Workspace set up in Insomnia. Could share, if you would like to see an example.

Thinking of this, it’s probably a little overkill with the environment variable. You could just copy the code into the value of the body key “code”. But guess I still have the hope, that I could find a way of automating this in Insomnia / Postman.

Not sure if I actually helped you with my answer?