ESI: The refresh token is malformed

I am creating a PHP app on a windows box and I wanted to get the basic ESI OAuth flow worked out before I started coding. I’m running into a problem when trying to refresh a token.

Here’s what I am doing:

  1. Browse to the following URL:

https://login.eveonline.com/oauth/authorize?response_type=code&redirect_uri=https://localhost&client_id=[client ID string]&scope=esi-markets.structure_markets.v1&secret=[secret string]

  1. Copy/paste authorization code from URL returned in step 1 and run the following command in CMD window

curl -XPOST -H “Content-Type:application/json” -H “Authorization:Basic [Base64 encrypted clientID:secret string ending in ==]” -d “{"grant_type":"authorization_code", "code":"[code copy/pasted from URL returned in step 1]"}” https://login.eveonline.com/oauth/token

  1. Make a request against login.eveonline.com in a CMD window

curl -XGET -H “Authorization: Bearer [authorization token]” https://login.eveonline.com/oauth/verify

which returns

{“CharacterID”:999999999,“CharacterName”:“Player1”,“ExpiresOn”:“2021-05-19T15:58:11”,“Scopes”:“esi-markets.structure_markets.v1”,“TokenType”:“Character”,“CharacterOwnerHash”:“[hash]”,“IntellectualProperty”:“EVE”}

  1. I then want to refresh the token by running this in a CMD window:

curl -XPOST --header “Accept: application/json” -H “Content-Type:application/x-www-form-urlencoded” -H “Authorization:Basic [Base64 encrypted clientID:secret string ending in ==]” -d “grant_type=refresh_token&refresh_token=[access token returned from step 2]” https://login.eveonline.com/oauth/token

but this command returns

{“error”:“invalid_request”,“error_description”:“The refresh token is malformed.”}

Clearly the syntax of the command in step 4 is wrong somehow, but I can’t figure it out. Can anyone help?

I’d read thru OAuth 2.0 for Web Based Applications | esi-docs and Refreshing tokens | esi-docs.

Few things I noticed:

  1. You’re making requests against the v1 oauth routes, when it should be like /v2/oauth/authorize and /v2/oauth/token.
  2. Your access_token != refresh_token. You should have gotten both back in your step 2 here.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.