Any of the listed authentication credentials are missing


I successfully generated an access token but I’m unable to get data. Here is the part of my code that is obviously broken. What am I missing? Thanks in advance to anyone that can help.

$access_key = $_SESSION[‘hubspotAccessToken’];
$curl = curl_init( ‘’ );
curl_setopt( $curl, CURLOPT_HTTPHEADER, array( 'Authorization: Bearer ’ . $access_key ) );
curl_exec( $curl );

Here is the error I get:
{“status”:“error”,“message”:“Any of the listed authentication credentials are missing”,“correlationId”:“xxxxxxx”,“engagement”:{“vendorkey-gae”:“vendorkey-gae not engaged. Vendorkey not found in request headers.”,“shhkey-v1”:“shhkey-v1 not engaged. Shhkey not found in the request header.”,“hapikey”:“hapikey not engaged. hapikey is not present in query params.”,“oauth-token”:“oauth-token not engaged. Malformed OAuth access token found in request header.”,“access_token”:“access_token not engaged. Token not found in query params.”,“internal-cookie”:“internal-cookie not engaged. Cookie not found in the request.”,“app-cookie”:“app-cookie not engaged. App cookie is not present on the request.”,“legacy-app-cookie”:“legacy-app-cookie not engaged. Auth cookie is not present in the request.”,“saml-redirect”:“Not engaged, HubId not specified on the request, cannot identify Identity Provider. is missing”},“requestId”:“xxxxxxxxx”}


Hi @dbeau

The most likely issue is that the access token you’re using is an incorrect format (you’d get a different error for an expired or otherwise invalid token).

The code itself looks ok to me, but can you double check the access token you’re using?


Hi @dadams

Not sure if this helps but the access token is in this format:

Is there any more info I can provide?

Thanks for your help with this.


That format would be for the old OAuth1 access tokens, which would use the access_token= query parameter, and not the Authorization header.

If you’re migrating an existing application to the new OAuth 2.0 system, you would need to authenticate your app with the new system to get a new access token and refresh token. The client ID and client secret would work with either system, but the access tokens and refresh tokens are not compatible between the two.