How to update the authToken?

  1. What is the right way to update the authToken that I received, along with the refreshToken, during the SmartApp Install or Update phase?
    I am not using the SDK and trying to make a https request. I see that there are different URLs, e.g., and Which one I am supposed to use? Is there a sample of the http request that works with the latest API and will not be deprecated soon?

  2. I see that there is the authToken property in the EVENT callback. What is the use of it? When it will expire? Should I just ignore it or I have to use it instead of calling the oath/token API?

Thank you.

  1. You will need your app’s client id and client secret as well as the authToken and the refreshtoken.

    Using curl in PHP, an example would be:

     $ch = curl_init( "" );
     curl_setopt( $ch, CURLOPT_FAILONERROR,   true );
     curl_setopt( $ch, CURLOPT_HTTPHEADER,    array( "Content-Type: application/x-www-form-urlencoded", "Authorization: Basic " . base64_encode( "{$id}:{$secret}" ) ) );
     curl_setopt( $ch, CURLOPT_POSTFIELDS,    "grant_type=refresh_token&client_id={$id}&refresh_token={$refreshtoken}" );
     curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true);
     $post = curl_exec( $ch );
  2. The authToken in the EVENT is a temporary token with a five minute expiry time that can save you jumping through hoops with the 30 day one if everything you do is in the event handling.

UPDATE: Just for anyone coming along later, I should make things clearer. The refreshable authToken lasts 24 hours and is not needed in 1). It is the refreshToken that lasts 30 days.

1 Like

Thank you so much, orangebucket!

This is exactly what I was looking for. It would be nice if this would be documented somewhere in the SmartApp docs.

Hi there @orangebucket

I have been trying to implement your curl example and have not been able to get the right response.

I’m working in C# but tried to mimic this in Postman just to abstract the request so I can understand it, and couldn’t get it to work in Postman.
I installed an app right before trying, so I can have a relevant refreshtoken.

Here are the steps I followed (in C# and Postman):

  1. I set a “Content-Type” header to “application/x-www-form-urlencoded”

  2. I set the “Authentication” header to "Basic " + the base64 encoded version of clientId:clientsecret

  3. I use the URL post fields:
    client_id={$id} //(which I assume is the same client ID as above)
    refresh_token={$refreshtoken} //(which I assume is from the app INSTALL event

  4. I send a GET request to with the above, but don’t seem to get the expected response.

Any thoughts, please?

In 2) it is actually an “Authorization” header, though I always call it the wrong thing myself.
In 3) just to be clear the that the braces are part of the string interpolation syntax in PHP so the whole of {$id} and {$refreshtoken} get replaced by the actual values.
In 4) it is a POST, not a GET.

Woops I called it Authentication but I actually used “Authorization” :slight_smile:
But I just changed from GET to POST and suddenly getting the right responses :slight_smile:

Thanks for the help!