Refresh Token API for SuiteCRM

Hi guys,

I am trying to get a access token for the SuiteCRM v8 APIs access via the refresh token, but the documentation does not have any info around the same. I also searched for various forums to vain and did not find anything on this.

Is there a way to get the access token (after expiry) from the refresh token for SuiteCRM? Or a way to increase the expiry of the access token?

I have tried to set the ’ grant_type’ parameter to ‘refresh_token’ for the access token API, but it throws an error. Really appreciate the help on the same.
Thanks in advance.

I’m seeing the same thing in 7.10.7; the OAuth server by the PHP League supports a refresh_token grant type, but the OAuth API in Suite responds negatively to refresh_token requests. There appears to be no code in place to make it work, which represents a gaping hole in the implementation.

Same here, no code in place to refresh token… hoping the next release fixes it.

Note that there are substantial improvements in the v8 API in SuiteCRM 7.10.10, make sure you check that one out.

Will do, thank you for the info. In the meantime I’ll keep using 7.10.9 while keeping under sight so that I can eventually upgrade.

Any updates on the topic? I am using v8 API with grant_type = refresh_token but getting error:

    "error": "unsupported_grant_type",
    "message": "The authorization grant type is not supported by the authorization server.",
    "hint": "Check the `grant_type` parameter"

Same problem. It seems that the RefreshGrant type is not enabled.

Does anyone have found a solution?


Version 7.10.22
refresh_token works
but you need to perfom from request, rather than json, because of “No user found” error.

php example
    $ch = curl_init();
    $postStr = array(
        'grant_type' => 'password',
        'client_id' => 'client id',
        'client_secret' => 'client secret',
        'username' => 'admin',
        'password' => 'password',

    // for refresh token
    $postStr = array(
        'grant_type' => 'refresh_token',
        'client_id' => 'client id',
        'client_secret' => 'client secret',
        'username' => 'any valid user you want',
        'refresh_token' => 'refresh token'
    $url = 'http://suitecrm/Api/access_token';
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postStr);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $output = curl_exec($ch);

Still wrestling with this refresh_token issue. Am able to get a new token and can crack it apart to see fields inside of it, but unsure of what I should passing back in call to refresh?

“{“error”:“invalid_request”,“message”:“The refresh token is invalid.”,“hint”:“Cannot decrypt the refresh token”}”

See other API thread for details

From your access_token request you will get refresh_token field.
Use it to refresh your token.

LOL – I would if I was getting one !

I’m patched up through 7.11.13 and have confirmed that the db tables only contain “null” values in it for refresh

MariaDB [suitecrm]> select id,access_token,refresh_token from oauth2tokens;
| id                                   | access_token                                                                     | refresh_token |
| 190fe8ff-0aa9-d72d-aaca-5f3952e619c8 | e67cae4f98c22604ec97e68078e56ba4861e8c065f7d96922b7f6356401e332f9c38f9a56c7a8b52 | NULL          |
| 1f684bbd-465c-3e9c-12f4-5f394fa8a47c | cf12a1da13d4cb1a3be5600ee7e23b7e0b6ec6c3fafc872dfd620c9f72f1c986954245147fe0c8cc | NULL          |
| 2677d36d-2886-aab0-ec4e-5f39510f30a6 | 040a49ccdb25f45a86c6f30ffbaa053b1c93f458c6bfa9218b4ddfac5ecbd33c85a40ac0c0ee899d | NULL          |
| 31feca5e-7212-f42c-a058-5f39472b35a3 | 313a3d8f1f1350f269e861200c0d06e0136ec0d90e71e78187663cfe341a45c057ac3fccc03f53cb | NULL          |
| 38c8af98-d3f3-9a05-d4f2-5f39475381a3 | 6645e14d53a44fef28c668ce1ca7afe738327891ed696c019129b5c0bdec1f1211f4a79cce61457a | NULL          |
| 4cae07ce-1f22-5b19-3933-5de7ad7454cc | f5ee2aa3eb0a2a0bc91306e4cd9b790206bbba82693d9f541db9f007c5cdb9e841b66d3a205492bc | NULL          |
| 4ddfd2d3-7a92-6815-0d7a-5f3961f0b4cb | 7b624224b5797713ae1f68138cff273ce27a1d76333af525b7ca74946b9734afd8dff858b07a226f | NULL          |
| 4e400e29-f4f0-ef67-9a44-5f39474e75d9 | 4f93b08b74ec86a6f78c539ec46236bb64703fc57aa3b16b809e79879a6258343315b8ea8e7ec3fe | NULL          |
| 4f4a8a4f-e8f6-6d60-bad6-5f394654245b | bc32d231f5984c56e647c2d3d4125d9d92e3abb2c929a22eb085b49135e74f7e80f6736b31fcf0b5 | NULL          |

Is there some other “patch” missing??


7.11.13 is fine since refresh_token grant was implemented in 7.11.9

Just to be sure, are you using 'grant_type' => 'password' ?
it does NOT show a “refresh_token” property in the grant type “Client Credentials” authorization server response.

Nope and that now produces one. Thanks.

But honestly, what’s the sense in having a required user/password combo for what should normally be available to an API key ??

I don’t know of any other system that I’ve coded to that can’t just use an API key and secret to obtain refreshable bearer tokens…


How are you storing the token once you get receive it from access_token.??

I receive the access token, but how to refresh the token and run post/get with the tokens?

I’m storing it temporarily in a sqlite3 database at least in the test harness system