ESI: The refresh token is malformed

I am creating a PHP app on a windows box and I wanted to get the basic ESI OAuth flow worked out before I started coding. I’m running into a problem when trying to refresh a token.

Here’s what I am doing:

  1. Browse to the following URL:[client ID string]&scope=esi-markets.structure_markets.v1&secret=[secret string]

  1. Copy/paste authorization code from URL returned in step 1 and run the following command in CMD window

curl -XPOST -H “Content-Type:application/json” -H “Authorization:Basic [Base64 encrypted clientID:secret string ending in ==]” -d “{“grant_type”:“authorization_code”, “code”:”[code copy/pasted from URL returned in step 1]"}"

  1. Make a request against in a CMD window

curl -XGET -H “Authorization: Bearer [authorization token]”

which returns


  1. I then want to refresh the token by running this in a CMD window:

curl -XPOST --header “Accept: application/json” -H “Content-Type:application/x-www-form-urlencoded” -H “Authorization:Basic [Base64 encrypted clientID:secret string ending in ==]” -d “grant_type=refresh_token&refresh_token=[access token returned from step 2]”

but this command returns

{“error”:“invalid_request”,“error_description”:“The refresh token is malformed.”}

Clearly the syntax of the command in step 4 is wrong somehow, but I can’t figure it out. Can anyone help?

I’d read thru OAuth 2.0 for Web Based Applications | esi-docs and Refreshing tokens | esi-docs.

Few things I noticed:

  1. You’re making requests against the v1 oauth routes, when it should be like /v2/oauth/authorize and /v2/oauth/token.
  2. Your access_token != refresh_token. You should have gotten both back in your step 2 here.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.