OAuth 2.0 Client Credentials Flow

Can someone here please point out whatever stupid mistake I am making when trying to connect to PayPal APIs?

Setting up my resource:

image1500×1376 105 KB

image1720×1194 123 KB

Using Resource to make API call

image1658×1400 155 KB

I get this error:

{
  "error": "invalid_token",
  "error_description": "Token signature verification failed"
}

Things I have checked:

• I reference Bearer OAUTH2_TOKEN in the header
• Verified client ID and secret are accurate for the environment I am using
• Verified I am connecting to the PayPal sandbox environments

I hope I am just missing something very basic, can anyone please help? Thank you!

@Jessica_D Have you checked to see what is being sent in the request? If you Preview the query in the app and then click on the API Request tab next to Response you should see the raw Authorization header value.

Thanks for pointing out I could see the un-sanitized header by using the Preview function. I was going crazy that I couldn't see it when actually running the request!

As suspected, the magic keyword of OAUTH2_TOKEN is not being replaced:"Authorization": "Bearer OAUTH2_TOKEN"

@Retool team, is this a bug?

    "headers": {
      "User-Agent": "Retool/2.0 (+https://docs.tryretool.com/docs/apis)",
      "Authorization": "Bearer OAUTH2_TOKEN",
      "ot-baggage-requestId": "undefined",
      "x-datadog-trace-id": "4091177160949669678",
      "x-datadog-parent-id": "5227738462811290591",
      "x-datadog-sampling-priority": "-1",
      "traceparent": "00-000000000000000038c6c7f3af989f2e-488ca86f26837bdf-00",
      "tracestate": "dd=s:-1",
      "X-Retool-Forwarded-For": "108.228.69.57"
    }

When that 'magic string' isn't replaced, it generally means that the stirng wasn't populated with a meaningful value during the auth process ie: the auth failed. I have resources where that's being replaced now, so it doesn't immediately jump out as a bug, but checking on some specifically using client credentials to make sure.

@Jessica_D Do you have access to the authentication flow on the PayPal side? As noted above, if the auth fails we don't have a value to replace the magic string with. Can you see auth attempts and failures on that side of things? Another couple of values to check would be the Audience and Scope fields. These are required for successful auth in some cases and this may be failing because they are not populated.

Thanks for looking into this.

I just tried adding a scope, and still had the same issue. I know that authentication in general works because I can use PayPal token endpoint directly to get a token, store as a variable and use that in any subsequent API calls, but I am not able to do this more elegantly the 'right way'

@Jessica_D Yeah, confirmed this is an issue with the Retool <> PayPal interaction. The authentication fails which is why the magic string is not replaced. We have an internal ticket tracking this now and will update this thread when there is any additional information to share on how to get this done natively.

What is the status of this? I'm currently integrating a similar REST API and experience exactly the same symptoms.
Generally speaking, the OAuth authentication process with client credential is vey opaque, so hard to debug.

Hey @engberg, mind sharing the API you are trying to authenticate against, and your resource setup? In general this works well, but happy to submit a bug report for a specific service.

We´ve had the same issue with OAuth Workflow on the PayPal and the Amazon Selling Partner API - would be great to get that running

I'm experiencing the same problem

I ran into the same issue. My workaround was to use Custom API authentication to recreate the client credentials flow.

I get exactly the same issue.

A post was split to a new topic: Oauth2 Issue with Mindbodyonline