Unable to Refresh token - Custom Application - OAuth2.0 - "error: invalid_grant"

We are actively builidng a Box Integration. Developed a custom-application to use Authentication as OAuth2.0.

We have added multiple web-integrations and everything works as expected.

When Any action is triggered from Box-Cloud using a Web-Integration
– We use the authCode to generate the access-token with NodeSdk.
– We perform the required task and Workflow is Completed without any issues.

We are storing {access_token, refresh_token, ttl} in our backend database…

The Problem is when we Try to refresh the Token:

  1. The Refresh Token is used for the first time.
  2. The Refresh Token is not expired (I tested within few minutes, after getting the refresh-token).
  3. I tried using the Authentication flo: Contructing AuthenticationUrl, Allow Access from BOX, Exchange Code for Token. etc. It also failed when I try to Refresh the Token.
  4. I tried using CURL, POSTMAN and NODE-SDK. Everything is throwing the same error related to "Invalid-grant"

“invalid_grant”, “Invalid grant_type parameter”, etc

Tried using Node-Sdk - Response Error Obeject.

Tried using Curl

Tried using Postman APIs Provided by BOX:

I have used the following documentation as a reference:

Please help me understand what am missing here.
We are stuck with this issue and development is blocked. Any help is highly appreciated.


Hi @rbarbosa, @pchristensen, @smartoneinok, @CodeBoxSeb,

Can you guys please help me here. any insights would be really helpful.

Thanks, Sarin


Normally when you get invalid token it is because the token is actually invalid, rather than eg. expired. First I would check that the token is not truncated or anything like that during the storage and retrieval process. Does this work if you store it somewhere else like a text file and then try?

Also, your cURL example is not going to work. The token refresh endpoint can use application/x-www-form-urlencoded encoding, not JSON like in your example. See https://developer.box.com/reference/post-oauth2-token--refresh/


Hi @pchristensen,

I cross checked if i we are re-formatting or truncating the received tokens.
I just tried again using the curl example you pointed out. I am getting the same error.

Also please check this documentation from box where it shows the earlier format of CURL command - [here] (https://developer.box.com/guides/authentication/tokens/refresh/)

This time, i used the refresh token, which i just received (even before storing it in database)

Is there any application specific settings or permissions or license, that could cause this??


Ok, @ostefaniuk seems to be a discrepancy in the documentation on how to refresh tokens.

Refreshing tokens should ideally just work for OAuth2.0 apps, no settings or license needed. The only way I can reproduce the error message “Invalid refresh token” is when I generate the token with one client_id/secret and then try to refresh using a different client_id/secret from antoher OAuth2.0 app. Can we rule that out as well?

Hi @pchristensen,

I have only a single custom app created and i use the ClientId and ClientSecret of that application only.

I just verified it, and we are only using a single clientId and clientSecret for generating token and refreshing token.

Is there any other ways to debug this issue?
What if share the exact datetime of the action, can you check the logs from your end?

Thanks, Sarin.

Hi @sarin-vt,

Thank you for reporting your issue. Our team has updated the sample code on the refresh token guide in the documentation page.

Would you be able to check if the issue persists if you use a free developer account? I’d be grateful if you could set up a new free developer account [Box] with a different e-mail address, create a new app and test the app you’re developing with updated credentials? This way we’ll check if the issue is consistent across different accounts.


Hi @ostefaniuk,

Thanks for pointing me in the right direction.

I tried with a different Dev account and Token-Refresh worked as expected.
This revealed that my code is working fine, So something wrong with my application.

I did a RESET of my client-secret and used the new secret to initialise the SDK.

Token refresh started working with the new secret.

Thanks, Sarin

1 Like

Hi folks,

This happens to me a lot, so I just wanted to share my use case.

I have a lot of OAuth 2.0 Box apps and use them in many different places, from python scripts to Postman, etc, and I don’t keep a good record of which box app is being used for what.

When we refresh an access token, we get both a new access and refresh token.

If 2 applications are requesting this for the same app and user, the tokens become miss matched, and that could explain what you are experiencing, although I would expect a invalid token error message (I don’t remember the exact error message I get).

For example, let’s say I have Postman setup correctly for Box app A, made a few calls, got an access and refresh token.

Later in a python script I’m authorize the same app, and get a new access and refresh token.

A few days later I go back to Postman, and I get the refresh error.


1 Like

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.