How to get an account level refresh token


I’m using the Ruby gem for this: and I’ve built my structure following the code they suggested to start with:

Notice in there the code that uses “DWOLLA_ACCOUNT_REFRESH_TOKEN”. At the top of the file it says “refresh token generated on”. How do I find this?

EDIT: I found this by logging into my Dwolla account, going to API Keys in the sidebar, then under “Create an OAuth access token” clicking “Create token”. The result here gave me a lot of data, including a refresh token.


Less than 24 hours later, TokenData.fresh_token_by! account_id: ENV["DWOLLA_ACCOUNT_ID"] is resulting in:
DwollaV2::AccessDeniedError: {"error"=>"access_denied", "error_description"=>"Invalid refresh token."}

The refresh strategy in the code I shared doesn’t seem to be working, and even if I delete all of my tokens, I can’t use the same refresh token to get started today like I did yesterday.

What am I doing wrong?

(Stephen Ausman) #3

Hey @glennfu,

Sorry for the trouble! A refresh_token can only be exchanged once, so I’m guessing that’s why you’re getting that error. If you generate a new refresh token and update DWOLLA_ACCOUNT_REFRESH_TOKEN does that work?

Also: If you’re using our Access API we made some changes to allow you to use an application token, which is a bit easier to manage.


There are 2 locations in my app that use Dwolla. The first one is where clients come in and set up their bank account, via the callback/redirect mechanism, passing along the Transactions|Funding. This results in the creation of a customer token for them that I store. The second is where the owner of the app goes to make payments to those customer tokens using the “transfers” endpoint.

As far as I can tell, I have to use the Account Token structure for this.

As for the refresh token, I’m happy with that explanation that the site’s provided refresh token can only be used once. I think I found an issue in my setup: My ACCOUNT_ID looked like when the newly refreshed forms being created by the code looked like 123556-cc79-46f1-a0e4-2b7b4a2eced0 so when my query would search for the new one, it wouldn’t find it. Then it would call back to re-using the one in ENV that had already been used. Updating this seems to have helped!

As for keeping it fresh, how often do I need to call refresh to keep from having to manually intervene here? Once per day, once per hour? The app owner might need to make payments 10 times in a day, every day for a week, but then not make any payments again for 2 or 3 months. What would you recommend?

(Stephen Ausman) #5


Access tokens expire after 60 minutes and refresh tokens expire after 60 days. If you’re using something like TokenData.fresh_token_by! you shouldn’t have to worry much about refreshing since it will refresh your tokens for you (when necessary).

Since refresh_tokens expire after 60 days, you will probably want to have a background job that runs periodically to refresh tokens with refresh_tokens that are close to expiring.