OAuth token refresh API doesn't support CORS?


#1

In my web app (running inside the browser), I’m calling /auth/v1/refresh REST api to get a new access token. However, it fails with the following error message in Chrome:

XMLHttpRequest cannot load https://api.hubapi.com/auth/v1/refresh?refresh_token=xxx&client_id=xxx&grant_type=refresh_token. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://myapp.mydomain.com’ is therefore not allowed access.

Below is my request header:
Accept:/
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,ja;q=0.6,zh-CN;q=0.4,zh;q=0.2
Connection:keep-alive
Content-Length:0
Content-Type:application/x-www-form-urlencoded
Host:api.hubapi.com
Origin:https://myapp.mydomain.com
Referer:https://myapp.mydomain.com/App/Home/Home.html
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Below is my response header:
Access-Control-Allow-Credentials:false
Cache-Control:no-cache
Connection:keep-alive
Content-Encoding:gzip
Content-Length:148
Content-Type:application/json; charset=UTF-8
Date:Fri, 19 Aug 2016 08:19:01 GMT
Vary:Accept-Encoding, User-Agent

If I use a Chrome plugin to force add the CORS header, it works just fine. So it looks like CORS header from hubspot server side is the only missing piece for this API to work. Could you please advice whether I missed something or this is a bug in refresh API?

Thanks!


#2

Hi @coffeeocean

At the moment, none of the HubSpot APIs support CORS, as a security measure to prevent access_tokens and other credentials from being exposed to the user in a client-side request. Any requests to HubSpot will need to be made server-side, so you’ll need to process any AJAX requests through a proxy (and the proxy should be adding the tokens to the server-side request).


#3

Thanks for the reply, David! We just built our server side proxy and it worked.


#4

Hi,

is there some piece of a sample code in PHP?

Thanks


#5

Hi,

some kind of sample code in PHP available?

Thanks