Implementing bearer authentication

Hi all,

I’m working on creating SmartApp in C#.
Looking for info on the authentication interaction - pretty much looking to implement from scratch.
Based on my understanding from here (Lifecycles | SmartThings Developers), at the INSTALL phase, the authentication tokens are received:

“authToken”: “string”,
“refreshToken”: “string”,

Is this authToken the token to use with the Bearer header?
Trying to follow the directions here: (OAuth Integrations | SmartThings Developers)
And then based on this last link, do I refresh the bearer token by posting to the authentication server with the PAT? Or what is the sequence of events/requests to get the token refreshed?
And that needs to happen every 24 hours or so?

Thanks for any help/insight
@jody.albritton @nayelyz

Hi, @Lev

Some Community devs have shared their experience on something similar, see below:

  1. SmartApp Webhook HTTP Signatures
  2. Building First SmartApp for Dummies

In the OAuth framework you get an Access Token and a Refresh Token, the first is used as authorization in the requests and it expires in 24hrs, the other helps you get new Access tokens.

Hi @nayelyz ,

Thanks for your response.
I’ve followed these posts and instructions, and have tried to implement the refresh token to get a new token using the logic in Adam Green’s post:

$ch = curl_init( “” );
curl_setopt( $ch, CURLOPT_FAILONERROR, true );
curl_setopt( $ch, CURLOPT_HTTPHEADER, array( “Content-Type: application/x-www-form-urlencoded”, "Authorization: Basic " . base64_encode( “{$clientId}:{$clientSecret}” ) ) );
curl_setopt( $ch, CURLOPT_POSTFIELDS, “grant_type=refresh_token&client_id={$id}&refresh_token={$refreshtoken}” );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true);
$post = curl_exec( $ch );

  1. I set a “Content-Type” header to “application/x-www-form-urlencoded”
  2. I set the “Authentication” header to "Basic " + the base64 encoded version of clientId:clientsecret
  3. I use the URL post fields:
    client_id={$id} //(which I assume is the same client ID as above)
  4. I send a GET request to “” with the above, but don’t seem to get the expected response.

I tried creating that request also with Postman (timed it right after the installation of the App just to be able to use an updated refreshtoken), and the return is again not what I would expect.

Would it be possible to help me construct the appropriate refresh token request or point me in the right direction?

Thanks again

Thanks again, with help from @orangebucket I was able to realize the misstep - it’s a POST, not a GET.