Refresh access token denied

oauth

#1
def refresh_access_token(refresh_token, client_id):
result = None
try:
    payload = 'refresh_token=%s&client_id=%s&grant_type=refresh_token' % (refresh_token, client_id)
    connection = httplib.HTTPSConnection('api.hubapi.com')
    connection.request('POST', '/auth/v1/refresh', payload)
    result = connection.getresponse()
    result = result.read()
except:
    logger.exception(make_log_msg("refesh authentication for HubSpot",
                                  str(refresh_token), str(client_id),
                                  traceback.format_stack()))
return result

This is the code we are using for refresh token, we have been using it for a long time, and had no issue, but starting from this early morning, we cannot get tokens anymore, what happened, it is urgent, we need to fix it as soon possible, all integration breaks with this error. Thanks

This is the error we get from return result,

Access Denied

Access Denied

You don’t have permission to access “http://api.hubapi.com/contacts/v1/contact/?” on this server.


Reference #18.b6e13217.1512134236.274cc805

P.S,

The weird thing is, I tried to directly invoke this API from testing server, and it works, but our producation server are keeping get this error.


#2

Hi @Eddie_Z,

That error appears to be coming from our CDN provider. It’s possible that your server was blocked because the activity appeared malicious to the system. If you have some retry logic that makes a large number of requests very quickly, that’s likely the culprit. Generally, reducing the quantity and/or frequency of requests for a minute or so will resolve these errors. In the event that this represents an IP block (for the reasons listed above) then the activity should be reduced for a few minutes, after which the IP block will be removed.


#3

Thanks, Derek, we already reduced the number of API calls under 40k per day.
We haven’t changed our process and program for quite a while, it would great if we can get some heads up before we get banned.


#4

Hi @Eddie_Z,

The CDN blocks (like this one) are automatic and distinct from the API rate limits published here. The system automatically detects what appears to be malicious activity (in particular, sustained volume or spikes of high frequency traffic) and implements temporary blocks. If you’re on shared IPs, you might be impacted by bad actors sharing your IP address.