Refreshing token?

Hi I’m just getting introduced to the Monzo API. I’m starting with a small simple project, a nodejs script that saves my monzo balance to an excel sheet.

I can’t get my head around the way to refresh tokens so that this script keeps running.
This is the monzo part.

const Monzo = require('monzo-js');
//this one keeps changing
const monzo_cleint = new Monzo('xxxxxxxxxxxx');


async function getMozoData(){
await Monzo.OAuth.usingClientCredentials('xxxx', 'xxxxxxx');
var accounts = await monzo_cleint.accounts.all();
for (const [id, acc] of accounts) {
    balance = Number((acc.balance / 100).toFixed(2));
    console.log('balance' + balance); 
    return balance;
}
}

As far as I understand, I’ll have to setup the full OAuth process if I want to keep permanent access to my account. Which will not work well with my use-case. But I hope I’m just wrong.

Help is much appreciated!

I don’t know much nodejs, if any…

But to refresh a token, you just submit the details back to Monzo and they send another token back which you will need to save for the next refresh…

See https://docs.monzo.com/#refreshing-access might help you…

You need to push the refresh token to https://api.monzo.com/oauth2/token along with a few other bits of data and it’ll return new data for the next 33 odd hours…

You don’t need to go through another Auth process…

Does that make sense?

Thanks alot.
But I’ve no idea how to “submit the details back to Monzo to get another token”
Is there an endpoint to get the token using client ID and client secret?

The way I do it is to go through the normal auth process to get a token, which I then store locally.

Then when I need to re-get data from the API I make a call to https://api.monzo.com/ping/whoami with the current token. If this fails authentication I call https://api.monzo.com/oauth2/token to get a refreshed token. Then I can continue the rest of the calls with the new token.

If the whoami call doesn’t fail and is authenticated, I just use that token…

This way, I don’t have to track the expiry of the token…

Thanks a lot for this! Could you please share with me the curl request you do to get a new token? Want to make sure I get it right?

Much appreciated

It’s not the cleanest of code, but this is the flow of the app…

You can choose to conditionally obtain a new access token when your access token expires by adding in error checking on each request, but if you’re looking to get started with the simplest code possible you can just use your refresh token to get an access token each time your function runs.

const client = new Monzo('dummy-value-does-not-need-to-be-correct');
const refreshToken = 'put-your-actual-refresh-token-here';

// any time you want to get data from Monzo authenticate using the refresh token...
Monzo.OAuth.refreshToken(clientId, clientSecret, refreshToken);

// now your code to interface with Monzo goes here, because you just got a new access token it will never be expired
monzo.accounts.all().then(accounts => {
	for (const [id, acc] of accounts) {
		console.log(`💵 £${acc.balance} in ${acc.id}`);
	}
});

This will work for as long as your refresh token is valid (which should be forever, unless you revoke OAuth access to the app).

Yes perfectly understood. My main issue is I can’t find the refresh token? Where do you get it?

You get it when you exchange the authorisation code:

Does that mean you can refresh an expired access token? I had assumed you had to refresh it before it expires for some reason

I’ve not really tested that… I assume it does as long as the original token had not been invalidated…

The docs say

To gain long-lived access to a user’s account, it’s necessary to “refresh” your access when it expires using a refresh token

From the wording when, not before, I assume you can…

I’ll find out when my last access token expires

I’m having an issue when trying to obtain a refresh token. Despite my post request is returning no error back, as I’m sending the right payload, the body is empty. I’m not sure if I’m missing something.

Hi all.
I have this issue as well, but actually, it should not need refreshing at all.
There should be a permanent token generated in the Dev. dashboard and that should be it.
I work with various APIs and most of them have it this way. Ebay for example works this way…
There should be an option to refresh it of course, for various cases, but I have no idea why the default token is not permanent?

It’s more secure using bearer tokens which expire. If the token got out any damage would be limited upto 24? hrs.

It’s oauth2.0. Most services I use (at a University) now use this type of auth (and I require it for new developments)

Ok, fair enough, but another question is: do you need to authorize the auth in the app as well or is the token given back to the pure API call?
In the doc it says “Redirect the user to Monzo to authorise your app”.
It would not make sense a human action to be required, as it would make the whole automation approach useless…
Also, I searched in many places and I couldn’t find how to retrieve that REFRESH token.

The human interaction is required to grant permissions on the account but this is only required when the token is intially generated. After this you can use the refresh token to generate new tokens which does not require human interaction.

No man, too complicated. And the docs only give those shell api calls, no idea what’s headers, what values, what json, complete chaos.
Quite bad docs, and no examples or extra info…

All of the API endpoints have examples on how to make the API call using curl in the shell so you should be able to translate that into whatever language you plan on using.

Alternatively it is worth looking to see if someone has created a package in your language of choice.

Hi. I completely abandoned monzo api until just now, when I’m giving it another try, so I managed to use the python repo on git and got the access token and refresh token, but when I used the get_accunts.py script I get “Failed to retrieve accounts”
What am I doing wrong now?
Thanks.