My Products

Problem getting access token

by eriksjolander

We have just launched our integration with but are having problems onboarding our first users.
We redirect them to:
(With some real state, I removed it in this example)
They are prompted to login and select their organization, then they are redirect back to our app with a code and the state.
We make a POST request to
username: isv_boardeaser
In the body we include:
code - that we receive from you in the callback url
The response is 400 with body {"error":"invalid_request"}.
Do you have any idea what might be going wrong with this client?
We have been successful with connecting it to our own ISV-account.


by eriksjolander (Updated ‎27-05-2024 23:06 by eriksjolander )
Do you have any idea why it works when we test on Companies in ISV Boardeaser AB but not for our customers?
When I go through the same flow as a customer:

1. Sign in to Boardeaser
3. I sign in to
4. I select `Visualby Test Company`
5. It redirects to Boardeaser
7. The account is connected.

But for our customer it fails on step 6 and we get `invalid_request` as the error message with status 400.

The API call for step 6 is as follows:

headers: {"Accept"=>"*/*", "User-Agent"=>"rest-client/2.1.0 (darwin23 arm64) ruby/3.3.1p55", "Content-Type"=>"application/x-www-form-urlencoded", "Content-Length"=>"150", "Accept-Encoding"=>"gzip;q=1.0,deflate;q=0.6,identity;q=0.3", "Host"=>""
response status: 400
body: {"error":"invalid_request"}
Marten Voort

by Marten Voort

Can you check if the users have api-user rights? This can be configured in admin. See also


We have now validated that the customer has API-user rights. We tried removing the rights from one of our test users and get a access denied message in the authentication process when that is the case.  The customer can go through the whole authentication process and pick the correct company but still gets a 400 response with {"error":"invalid_request"} in the token request.

Marten Voort

The only way I can reproduce this error if I leave the body completely empty. I suspect there is something wrong with the url encoding or form structure of the body. If this does not help you, I suggest you take this up with local support, because we need to do an in-depth check on what is the cause of this error. You can find local support on this page:

Marten Voort

by Marten Voort

Hi Erik, I see you have a username in the request, this should not be needed. Furthermore, some fields seem to be missing in the body of your token request. It should be like this Curl example request:


curl --request POST --url --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&'


Let me know if this helps you.


After making the changes you suggested, we still get the same error when trying to get a token for the customer. It still works perfectly fine when we try with our own test users.