Authentication

Overview

The Dexcom API uses OAuth 2.0 to enable client applications to make requests on behalf of users. Users can authenticate themselves with Dexcom and do not enter their login information into the client application directly. Users also authorize a specific scope of data that may be transferred from Dexcom to the client application and can revoke the access at any time.

 It is standard practice to use a pre-built OAuth 2.0 client library instead of writing one from scratch. Libraries are available for a wide variety of languages; many can be found at https://oauth.net/code/.

The diagram below shows an overview of the authentication and authorization flow:

This walkthrough goes over the basics of the authentication process as it applies to the Dexcom API but is not a comprehensive introduction to OAuth 2.0. The following references provide detailed information on the principles and implementation of OAuth 2.0:

Step One: Obtain Application Credentials

All applications have credentials that enable them to make requests. To obtain these credentials, register as a developer and create an app. New credentials are generated for each app and can be found in the app management section.

Parameter	Description
`client_id`	The unique ID for the client application—similar to a username
`client_secret`	The secret for the client application—similar to a password

An application's client_secret should never be shared or distributed. If it is compromised, a new one may be generated in the app management section, which will immediately invalidate the old one.

Step Two: Obtain User Authorization

The application directs the user to the Dexcom login page using the following URL:

https://api.dexcom.com/v2/oauth2/login?client_id={your_client_id}&redirect_uri={your_redirect_uri}&response_type=code&scope=offline_access&state={your_state_value}

When targeting the sandbox environment, the base URL above should be replaced with https://sandbox-api.dexcom.com

The query parameters are described below:

Parameter	Description
`client_id`	The unique ID for the client application—similar to a username
`redirect_uri`	The redirect URI associated with the application; must match the one specified in the app management section
`response_type`	The OAuth 2.0 response type; currently, `code` is the only acceptable input
`scope`	The access scope being requested; currently, `offline_access` is the only acceptable input
`state`	Client-generated value used to maintain state between the request and the callback; used to prevent cross-site request forgery (CSRF) (optional)

See the Authorization Request section of the RFC 6749 OAuth 2.0 Authorization Framework standard for more details on these parameters.

The user will first see the Dexcom login page, where they will enter their Dexcom username and password. The user's credentials are not passed to the client application. After authenticating, the user will be presented with a HIPAA authorization statement. This authorization is required so that the user explicitly grants Dexcom the right to share his or her data with the client application. The basic flow of this process as it appears to the user is illustrated below:

Step Three: Obtain Authorization Code

Upon successful authentication and authorization by the user, an HTTP 302 (redirect) will be returned, and the authorization_code will be appended to your redirect_uri. For example, if your redirect_uri were https://example.com, the redirect will be to https://example.com?code={your_authorization_code}&state={your_state_value}. Extract the authorization_code from the URL for use in the next step. Note that the authorization_code is single-use and expires after one minute. The optional state parameter will only be returned if it was used in Step Two.

If the user denies access in Step Two, the redirect_uri will be appended with ?error=access_denied instead of the authorization code.

Step Four: Obtain Access Token

The authorization_code acquired in Step Three can now be exchanged for an access_token and a refresh_token. The endpoint used for this exchange is:

https://api.dexcom.com/v2/oauth2/token

When targeting the sandbox environment, the base URL above should be replaced with https://sandbox-api.dexcom.com

The form parameters are described below:

Parameter	Description
`client_id`	The unique ID for the client application—similar to a username
`client_secret`	The secret for the client application—similar to a password
`code`	The `authorization_code` obtained in Step Three
`grant_type`	To obtain an access token using an authorization code, use a grant type of `authorization_code`
`redirect_uri`	The redirect URI associated with the application

The Content-Type field in the header should be set to application/x-www-form-urlencoded

Here's an example of obtaining an access_token using an authorization_code:

curl
C#
Go
Java
JS
Node.js
PHP
Python
Ruby
Swift

curl -X POST \
  https://api.dexcom.com/v2/oauth2/token \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}'

var client = new RestClient("https://api.dexcom.com/v2/oauth2/token");
var request = new RestRequest(Method.POST);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("application/x-www-form-urlencoded", "client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

func main() {

	url := "https://api.dexcom.com/v2/oauth2/token"

	payload := strings.NewReader("client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/x-www-form-urlencoded")
	req.Header.Add("cache-control", "no-cache")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}

OkHttpClient client = new OkHttpClient();

MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType, "client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}");
Request request = new Request.Builder()
  .url("https://api.dexcom.com/v2/oauth2/token")
  .post(body)
  .addHeader("content-type", "application/x-www-form-urlencoded")
  .addHeader("cache-control", "no-cache")
  .build();

Response response = client.newCall(request).execute();

var data = "client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}";

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === 4) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api.dexcom.com/v2/oauth2/token");
xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);

var qs = require("querystring");
var http = require("https");

var options = {
  "method": "POST",
  "hostname": "api.dexcom.com",
  "port": null,
  "path": "/v2/oauth2/token",
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "cache-control": "no-cache"
  }
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(qs.stringify({ client_secret: '{your_client_secret}',
  client_id: '{your_client_id}',
  code: '{your_authorization_code}',
  grant_type: 'authorization_code',
  redirect_uri: '{your_redirect_uri}' }));
req.end();

<?php

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://api.dexcom.com/v2/oauth2/token",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}",
  CURLOPT_HTTPHEADER => array(
    "cache-control: no-cache",
    "content-type: application/x-www-form-urlencoded"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

import http.client

conn = http.client.HTTPSConnection("api.dexcom.com")

payload = "client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}"

headers = {
    'content-type': "application/x-www-form-urlencoded",
    'cache-control': "no-cache"
    }

conn.request("POST", "/v2/oauth2/token", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'

url = URI("https://api.dexcom.com/v2/oauth2/token")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/x-www-form-urlencoded'
request["cache-control"] = 'no-cache'
request.body = "client_secret={your_client_secret}&client_id={your_client_id}&code={your_authorization_code}&grant_type=authorization_code&redirect_uri={your_redirect_uri}"

response = http.request(request)
puts response.read_body

import Foundation

let headers = [
  "content-type": "application/x-www-form-urlencoded",
  "cache-control": "no-cache"
]

let postData = NSMutableData(data: "client_secret={your_client_secret}".data(using: String.Encoding.utf8)!)
postData.append("&client_id={your_client_id}".data(using: String.Encoding.utf8)!)
postData.append("&code={your_authorization_code}".data(using: String.Encoding.utf8)!)
postData.append("&grant_type=authorization_code".data(using: String.Encoding.utf8)!)
postData.append("&redirect_uri={your_redirect_uri}".data(using: String.Encoding.utf8)!)

let request = NSMutableURLRequest(url: NSURL(string: "https://api.dexcom.com/v2/oauth2/token")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

The response will look like:

{
  "access_token": "{your_access_token}",
  "expires_in": 7200,
  "token_type": "Bearer",
  "refresh_token": "{your_refresh_token}"
}

The expires_in value is expressed in seconds.

Step Five: Make Requests Using Bearer Token

Using the access_token, the client app can now make API requests on behalf of the user by passing it in the authorization header. Make sure to specify Bearer as the type. Below is an example request to the /egvs endpoint; see the Endpoint Overview section for the different available resources.

curl
C#
Go
Java
JS
Node.js
PHP
Python
Ruby
Swift

curl -X GET \
'https://api.dexcom.com/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00' \
-H 'authorization: Bearer {your_access_token}'

using System;
using System.Threading.Tasks;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;

public class APIAccess
{
    string _baseUrl = "https://api.dexcom.com";
    string _token = "{your_access_token}";
    private void GetEGV()
    {
        var client = new HttpClient();
        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(
        new MediaTypeWithQualityHeaderValue("application/json"));
        client.DefaultRequestHeaders.Add("authorization", "Bearer " + _token);
        var url = _baseUrl + "/v1/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00";
        HttpResponseMessage response = client.GetAsync(url).Result;
        Console.Write(response.Content.ReadAsStringAsync().Result);
    }
}

package main

import (
	"fmt"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://api.dexcom.com/v1/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("authorization", "Bearer {your_access_token}")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}

OkHttpClient client = new OkHttpClient();

Request request = new Request.Builder()
  .url("https://api.dexcom.com/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00")
  .get()
  .addHeader("authorization", "Bearer {your_access_token}")
  .build();

Response response = client.newCall(request).execute();

var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === 4) {
    console.log(this.responseText);
  }
});

xhr.open("GET", "https://api.dexcom.com/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00");
xhr.setRequestHeader("authorization", "Bearer {your_access_token}");

xhr.send(data);

var http = require("https");

var options = {
  "method": "GET",
  "hostname": "api.dexcom.com",
  "port": null,
  "path": "/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00",
  "headers": {
    "authorization": "Bearer {your_access_token}",
    }
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

<?php
$curl = curl_init();
curl_setopt_array($curl, array(
  CURLOPT_URL => "https://api.dexcom.com/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00",
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => array(
    "authorization: Bearer {your_access_token}"
  ),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

import http.client

conn = http.client.HTTPSConnection("api.dexcom.com")

headers = {
    'authorization': "Bearer {your_access_token}"
    }

conn.request("GET", "/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00", headers=headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api.dexcom.com/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer {your_access_token}'

response = http.request(request)
puts response.read_body

import Foundation

let headers = [
  "authorization": "Bearer {your_access_token}"
]

let request = NSMutableURLRequest(url: NSURL(string: "https://api.dexcom.com/v2/users/self/egvs?startDate=2017-06-16T15:30:00&endDate=2017-06-16T15:45:00")! as URL,
      cachePolicy: .useProtocolCachePolicy,
  timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
    if (data != nil){
                let responseData:String! = String(data: data!, encoding: String.Encoding.utf8)
                print(responseData)
            }
  }
})

dataTask.resume()

Step Six: Refresh Tokens

The access_token acquired in Step Four has a limited usage time, as indicated by the expires_in field. The refresh_token can be used to acquire a new one. The endpoint used for this exchange is:

https://api.dexcom.com/v2/oauth2/token

When targeting the sandbox environment, the base URL should be replaced with https://sandbox-api.dexcom.com

The form parameters are described below:

Parameter	Description
`client_id`	The unique ID for the client application—similar to a username
`client_secret`	The secret for the client application—similar to a password
`refresh_token`	The `refresh_token` obtained in Step Four
`grant_type`	To obtain an access token using a refresh token, use a grant type of `refresh_token`
`redirect_uri`	The redirect URI associated with the application

The Content-Type field in the header should be set to application/x-www-form-urlencoded

Here's an example of obtaining an access_token using a refresh_token:

curl
C#
Go
Java
JS
Node.js
PHP
Python
Ruby
Swift

curl -X POST \
  https://api.dexcom.com/v2/oauth2/token \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}'

var client = new RestClient("https://api.dexcom.com/v2/oauth2/token");
var request = new RestRequest(Method.POST);
request.AddHeader("cache-control", "no-cache");
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("application/x-www-form-urlencoded", "client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://api.dexcom.com/v2/oauth2/token"

	payload := strings.NewReader("client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/x-www-form-urlencoded")
	req.Header.Add("cache-control", "no-cache")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}

OkHttpClient client = new OkHttpClient();

MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType, "client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}");
Request request = new Request.Builder()
  .url("https://api.dexcom.com/v2/oauth2/token")
  .post(body)
  .addHeader("content-type", "application/x-www-form-urlencoded")
  .addHeader("cache-control", "no-cache")
  .build();

Response response = client.newCall(request).execute();

var data = "client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}";

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === 4) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api.dexcom.com/v2/oauth2/token");
xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);

var qs = require("querystring");
var http = require("https");

var options = {
  "method": "POST",
  "hostname": "api.dexcom.com",
  "port": null,
  "path": "/v2/oauth2/token",
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "cache-control": "no-cache"
  }
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(qs.stringify({ client_secret: '{your_client_secret}',
  client_id: '{your_client_id}',
  refresh_token: '{your_refresh_token}',
  grant_type: 'refresh_token',
  redirect_uri: '{your_redirect_uri}' }));
req.end();

<?php

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://api.dexcom.com/v2/oauth2/token",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}",
  CURLOPT_HTTPHEADER => array(
    "cache-control: no-cache",
    "content-type: application/x-www-form-urlencoded"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

import http.client

conn = http.client.HTTPSConnection("api.dexcom.com")

payload = "client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}"

headers = {
    'content-type': "application/x-www-form-urlencoded",
    'cache-control': "no-cache"
    }

conn.request("POST", "/v2/oauth2/token", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'

url = URI("https://api.dexcom.com/v2/oauth2/token")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/x-www-form-urlencoded'
request["cache-control"] = 'no-cache'
request.body = "client_secret={your_client_secret}&client_id={your_client_id}&refresh_token={your_refresh_token}&grant_type=refresh_token&redirect_uri={your_redirect_uri}"

response = http.request(request)
puts response.read_body

import Foundation

let headers = [
  "content-type": "application/x-www-form-urlencoded",
  "cache-control": "no-cache"
]

let postData = NSMutableData(data: "client_secret={your_client_secret}".data(using: String.Encoding.utf8)!)
postData.append("&client_id={your_client_id}".data(using: String.Encoding.utf8)!)
postData.append("&refresh_token={your_refresh_token}".data(using: String.Encoding.utf8)!)
postData.append("&grant_type=refresh_token".data(using: String.Encoding.utf8)!)
postData.append("&redirect_uri={your_redirect_uri}".data(using: String.Encoding.utf8)!)

let request = NSMutableURLRequest(url: NSURL(string: "https://api.dexcom.com/v2/oauth2/token")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

The response will look like:

{
  "access_token": "{your_access_token}",
  "expires_in": 7200,
  "token_type": "Bearer",
  "refresh_token": "{your_refresh_token}"
}

Each refresh_token can be used only once. When it is exchanged for an access_token, a new refresh_token will be issued and the one that was used will be invalidated. Make sure to capture the new refresh_token and replace the old one with it. Each refresh_token is valid for a maximum of one year.

Revoking Tokens

Users can revoke their authorization at any time at Dexcom.com by signing in to their account and changing their authorizations in Permissions. Dexcom will promptly terminate providing further personal information to the client application, but any information previously provided to the app will not be affected by this revocation.

Handling Errors

Apps should be developed to properly catch HTTP response status codes other than 200 and proceed accordingly.

If a status code of 401 is returned on a request for data using an access_token, the next step is to use the refresh_token to acquire a new access_token.

If a status code of 400 is returned when exchanging a refresh_token, that refresh_token is no longer valid. Potential reasons include:

the user has revoked the app's authorization
the refresh_token has expired
the refresh_token has already been used and is therefore no longer valid

Independent of the reason, it is best to proceed by prompting the user to re-authorize the application by redirecting them to the login as detailed above in Step Two.

A complete list of errors and explanations is available in the Error Response section of the RFC 6749 OAuth 2.0 Authorization Framework standard.