Getting Expired access token, even though generate a new token on each request

(Matthew Padich) #1

Within our app, every time a user wants to interact with the Dwolla API we generate a new token by hitting the auth token endpoint located @ with a body like:

{ { "client_id", _appKey }, { "client_secret", _appSecret }, { "grant_type", "client_credentials" } };

This succeeds, we get a new token, and about 75% of the time the token just works. The Response looks like this:


But occasionally we get a token that gives us this error:

    "code": "ExpiredAccessToken",
    "message": "Generate a new access token using a valid refresh token."

However, in the API v2 docs I do not see anything about refresh tokens, nor does the POST to  `` give us back a refresh token (as you can see above).  My initial thought it to just keep hitting the token endpoint until we get a good token, but that seems really unnecessary / silly / slow.  Is this just a problem with the sandbox endpoint?  Is this something we will have to handle the same way in production?

Any suggestions / answers would be much appreciated.


(Spencer Hunter) #2

@mattyfresh, If you’re integrating with our Access API then we’d recommend only generating a new access token once per hour (call the token endpoint every 45 minutes- 1hour). This single access token is used to facilitate all calls to the Dwolla API on behalf of your own Account and the Customers you create and manage. You’ll then want to persist this access token in some type of shared storage and update it every time you call the API to refresh authorization.

Thanks for the heads up on the error message, I’ll pass this along to our team to update the error message string to return a better error based on the type of access token you’re using.

(Matthew Padich) #3

We are using the Access API, thank you for your response! Very helpful.

So just to echo back what you said, the best practice is to generate an access_token and persist that token for 45 minutes to 1 hour, doing whatever work I have to do using the same token for that time span.

At which point I would generate a new token, do work for 45 mins to 1 hour, etc…

Sounds like a plan,

Thanks again!

(Spencer Hunter) #4

Yep, you’ve got it!

(Matthew Padich) #5

Hey Spencer, so I applied that logic and am still running into the same issue sporadically.

    "code": "ExpiredAccessToken",
    "message": "Generate a new access token using a valid refresh token."

Any other ideas?  We only generate an access token every 45 minutes, confirmed on our local and staging environments.  Could the different URL's be affecting the token working properly?  One is a `` URL and one is just on `localhost`.

The issue does not seem to effect my local testing URL.

If there is anything else you can think of or anything you need from me to test internally please let me know.  We are on a bit of a time crunch at this point!



(Spencer Hunter) #6

Hey @mattyfresh, That is strange. Are storing the new access token you receive from Dwolla and getting rid of the previously issued token? What is the name of your application? I’ll see if I can do some digging in our logs to find anything that may be helpful in debugging.

(Matthew Padich) #7

Hey Spencer thanks for getting back to me!

So we just have a single access_token at any one time, used in the manner I mentioned previously. We store an access_token in our DB, and if it less than 45 minutes old we use that, otherwise we make another call to the auth endpoint and generate a new one and then store that. Repeat.

The issue seems to be really sporadic, right now I am forced to generate an access_token, make an API call with it, make sure the response is good, then write it to the DB. Essentially doing a test API call every time we generate a token until we get one that works.

Our app is called (as per the API):
"id": "d1141d23-e2ef-4e3b-ae5f-17c13376692d",
"name": "Settle Inc"

Any insight you an give would be greatly appreciated!

Thanks again,


(Matthew Padich) #8

Any update on this?? Still having problems randomly.



(Spencer Hunter) #9

Hi @mattyfresh, I dug into our logs to take a look at requests from your app and here is what I am seeing:

Specifically for requests made on 8/4, it doesn’t appear that your app is calling the Dwolla API every 45 minutes to obtain a new access token.
Your app received HTTP 401s at 2017-08-04 19:41:06, 2017-08-04 19:41:53, and 2017-08-04 19:54:29 UTC, however the first time you called the API to obtain an access token was later that day at 2017-08-04 23:00:13 UTC.

For requests made on 7/26, I see 401s at 2017-07-26 15:34:37, 2017-07-26 15:38:23, 2017-07-26 15:38:28, 2017-07-26 15:42:38, 2017-07-26 15:42:44, and 2017-07-26 15:43:42 UTC, however the first time your app called the API to obtain an access token that day was 2017-07-26T15:46:21 UTC.

If possible, are you able to add some logging on your end for the following? 1) timestamp/info for a successful API calls to obtain an access token 2) timestamp/info for failed calls to obtain an access token 3) timestamps for when you receive a 401 “expired access token” error. I can then match that info to what I am seeing on our end.


(Cory Anderson) #10

(Cory Anderson) #11

(Cory Anderson) #12

(Cory Anderson) #13

(Cory Anderson) #14

(Cory Anderson) #15