I'm currently trying to implement Docusign API. I've setup oauth authorization code flow with PKCE enabled successfully (with signature extended openid scope). I fetch the token & refresh token without any problem. I'm trying to refresh my token but I keep getting: ["status_code" => 400,"response" => "{"error":"invalid_grant"}"]

  $authHeader = 'Basic ' . base64_encode("{$clientId}:{$clientSecret}");
                $response = $this->httpClient->request('POST', $tokenUrl, [
                    'headers' => [
                        'Authorization' => $authHeader,
                        'Content-Type' => 'application/x-www-form-urlencoded',
                    ],
                    'body' => http_build_query([
                        'grant_type' => 'refresh_token',
                        'refresh_token' => $refreshToken,
                        'client_id' => $clientId,
                        'client_secret' => $clientSecret
                    ]),
                ]);

I tried without client_id and client_secret as parameters as well.

I even tried on their postman collection and I'm getting the same result. postman_capture

My clientId is integration id given on the app settings, my client secret is valid as well since I'm able to do the auth code flow.

I'm expecting to get a new token and refresh_token.

Thanks for your help

I'm currently trying to implement Docusign API. I've setup oauth authorization code flow with PKCE enabled successfully (with signature extended openid scope). I fetch the token & refresh token without any problem. I'm trying to refresh my token but I keep getting: ["status_code" => 400,"response" => "{"error":"invalid_grant"}"]

  $authHeader = 'Basic ' . base64_encode("{$clientId}:{$clientSecret}");
                $response = $this->httpClient->request('POST', $tokenUrl, [
                    'headers' => [
                        'Authorization' => $authHeader,
                        'Content-Type' => 'application/x-www-form-urlencoded',
                    ],
                    'body' => http_build_query([
                        'grant_type' => 'refresh_token',
                        'refresh_token' => $refreshToken,
                        'client_id' => $clientId,
                        'client_secret' => $clientSecret
                    ]),
                ]);

I tried without client_id and client_secret as parameters as well.

I even tried on their postman collection and I'm getting the same result. postman_capture

My clientId is integration id given on the app settings, my client secret is valid as well since I'm able to do the auth code flow.

I'm expecting to get a new token and refresh_token.

Thanks for your help

• docusignapi

Share Follow edited Mar 7 at 13:12 Joachim asked Mar 7 at 13:10 JoachimJoachim 1111 silver badge22 bronze badges

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

The client_id and client_secret should not be included in the body when using the Authorization header. Your request should look like this:

$authHeader = 'Basic ' . base64_encode("{$clientId}:{$clientSecret}");
$response = $this->httpClient->request('POST', $tokenUrl, [
    'headers' => [
        'Authorization' => $authHeader,
        'Content-Type' => 'application/x-www-form-urlencoded',
    ],
    'body' => http_build_query([
        'grant_type' => 'refresh_token',
        'refresh_token' => $refreshToken,
    ]),
]);

For the developer environment, it should be https://account-d.docusign/oauth/token

Note: Refresh tokens have a lifespan of 30 days. If the token is older than that, it will expire.

Ok I found the problem, token was truncated to 255 char in my db. Thanks for your help