Refresh Token API for SuiteCRM

sameerdw · 20 July 2018 10:22

Hi guys,

I am trying to get a access token for the SuiteCRM v8 APIs access via the refresh token, but the documentation does not have any info around the same. I also searched for various forums to vain and did not find anything on this.

Is there a way to get the access token (after expiry) from the refresh token for SuiteCRM? Or a way to increase the expiry of the access token?

I have tried to set the ’ grant_type’ parameter to ‘refresh_token’ for the access token API, but it throws an error. Really appreciate the help on the same.
Thanks in advance.

liambrown · 23 October 2018 04:50

I’m seeing the same thing in 7.10.7; the OAuth server by the PHP League supports a refresh_token grant type, but the OAuth API in Suite responds negatively to refresh_token requests. There appears to be no code in place to make it work, which represents a gaping hole in the implementation.

Bees · 16 November 2018 10:28

Same here, no code in place to refresh token… hoping the next release fixes it.

pgr · 16 November 2018 13:26

Note that there are substantial improvements in the v8 API in SuiteCRM 7.10.10, make sure you check that one out.

Bees · 16 November 2018 16:30

Will do, thank you for the info. In the meantime I’ll keep using 7.10.9 while keeping https://github.com/salesagility/SuiteCRM/projects/2 under sight so that I can eventually upgrade.

demos1x · 1 March 2019 08:55

Any updates on the topic? I am using v8 API with grant_type = refresh_token but getting error:


{
    "error": "unsupported_grant_type",
    "message": "The authorization grant type is not supported by the authorization server.",
    "hint": "Check the `grant_type` parameter"
}

espinella · 13 March 2019 18:00

Same problem. It seems that the RefreshGrant type is not enabled.

Does anyone have found a solution?

TheLittleDuke · 2 December 2019 15:47

#bump

serfreeman1337 · 23 January 2020 08:06

Version 7.10.22
refresh_token works
but you need to perfom from request, rather than json, because of “No user found” error.

php example

    <?php
    $ch = curl_init();
    $postStr = array(
        'grant_type' => 'password',
        'client_id' => 'client id',
        'client_secret' => 'client secret',
        'username' => 'admin',
        'password' => 'password',
    );

    // for refresh token
    /*
    $postStr = array(
        'grant_type' => 'refresh_token',
        'client_id' => 'client id',
        'client_secret' => 'client secret',
        'username' => 'any valid user you want',
        'refresh_token' => 'refresh token'
    );
    */
    $url = 'http://suitecrm/Api/access_token';
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postStr);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $output = curl_exec($ch);
    var_dump($output);
    ?>

TheLittleDuke · 16 August 2020 16:11

Still wrestling with this refresh_token issue. Am able to get a new token and can crack it apart to see fields inside of it, but unsure of what I should passing back in call to refresh?

“{“error”:“invalid_request”,“message”:“The refresh token is invalid.”,“hint”:“Cannot decrypt the refresh token”}”

See other API thread for details

serfreeman1337 · 16 August 2020 17:17

From your access_token request you will get refresh_token field.
Use it to refresh your token.

TheLittleDuke · 16 August 2020 19:05

LOL – I would if I was getting one !

I’m patched up through 7.11.13 and have confirmed that the db tables only contain “null” values in it for refresh

MariaDB [suitecrm]> select id,access_token,refresh_token from oauth2tokens;
+--------------------------------------+----------------------------------------------------------------------------------+---------------+
| id                                   | access_token                                                                     | refresh_token |
+--------------------------------------+----------------------------------------------------------------------------------+---------------+
| 190fe8ff-0aa9-d72d-aaca-5f3952e619c8 | e67cae4f98c22604ec97e68078e56ba4861e8c065f7d96922b7f6356401e332f9c38f9a56c7a8b52 | NULL          |
| 1f684bbd-465c-3e9c-12f4-5f394fa8a47c | cf12a1da13d4cb1a3be5600ee7e23b7e0b6ec6c3fafc872dfd620c9f72f1c986954245147fe0c8cc | NULL          |
| 2677d36d-2886-aab0-ec4e-5f39510f30a6 | 040a49ccdb25f45a86c6f30ffbaa053b1c93f458c6bfa9218b4ddfac5ecbd33c85a40ac0c0ee899d | NULL          |
| 31feca5e-7212-f42c-a058-5f39472b35a3 | 313a3d8f1f1350f269e861200c0d06e0136ec0d90e71e78187663cfe341a45c057ac3fccc03f53cb | NULL          |
| 38c8af98-d3f3-9a05-d4f2-5f39475381a3 | 6645e14d53a44fef28c668ce1ca7afe738327891ed696c019129b5c0bdec1f1211f4a79cce61457a | NULL          |
| 4cae07ce-1f22-5b19-3933-5de7ad7454cc | f5ee2aa3eb0a2a0bc91306e4cd9b790206bbba82693d9f541db9f007c5cdb9e841b66d3a205492bc | NULL          |
| 4ddfd2d3-7a92-6815-0d7a-5f3961f0b4cb | 7b624224b5797713ae1f68138cff273ce27a1d76333af525b7ca74946b9734afd8dff858b07a226f | NULL          |
| 4e400e29-f4f0-ef67-9a44-5f39474e75d9 | 4f93b08b74ec86a6f78c539ec46236bb64703fc57aa3b16b809e79879a6258343315b8ea8e7ec3fe | NULL          |
| 4f4a8a4f-e8f6-6d60-bad6-5f394654245b | bc32d231f5984c56e647c2d3d4125d9d92e3abb2c929a22eb085b49135e74f7e80f6736b31fcf0b5 | NULL          |

Is there some other “patch” missing??

-dvd

serfreeman1337 · 16 August 2020 19:36

7.11.13 is fine since refresh_token grant was implemented in 7.11.9

Just to be sure, are you using 'grant_type' => 'password' ?
it does NOT show a “refresh_token” property in the grant type “Client Credentials” authorization server response.

TheLittleDuke · 16 August 2020 19:58

Nope and that now produces one. Thanks.

But honestly, what’s the sense in having a required user/password combo for what should normally be available to an API key ??

I don’t know of any other system that I’ve coded to that can’t just use an API key and secret to obtain refreshable bearer tokens…

-dvd

rasel · 11 January 2021 20:38

How are you storing the token once you get receive it from access_token.??

I receive the access token, but how to refresh the token and run post/get with the tokens?

TheLittleDuke · 11 January 2021 22:20

I’m storing it temporarily in a sqlite3 database at least in the test harness system

Ruvin · 17 June 2025 05:03

is there any solution for this issue?
I cannot generate new access_token from refresh_token…
I’m using Suite v7.14.4
looks like this bug hasn’t been resolved yet

I’m getting error:
{
“error”: “invalid_client”,
“error_description”: “Client authentication failed”,
“message”: “Client authentication failed”
}

rsp · 17 June 2025 13:33

Do you have this in your code? It could be an issue of your config.

Ruvin · 17 June 2025 16:45

I’m using Postman tool to test API refresh_token. which section in config should I need to check?

rsp · 17 June 2025 16:48

Refer these blogs: