How to Use AAC's New OAuth 2.0 Refresh Tokens for the AAC API

Question

How to generate an OAuth 2.0 token in AAC What are access and refresh tokens?* Access Token: Used to make API requests; valid for 5 minutes. * Refresh Token: Used to get a new access token; its lifespan is set when generated (1–365 days). * When refreshing a token, you receive new access and refresh tokens, and the old refresh token becomes invalid. Step 1: Generate your Access and Refresh Tokens * Starting in Alteryx Analytics Cloud, go to User Preferences. On the left-side panel, select OAuth 2.0 API Tokens. * Select Generate. * Name your token, and set the Lifetime for anywhere between 1 and 365 days. * Save the resulting API Access Token and API Refresh Token in a credential store or secure place of your choosing. If you lose these tokens you will have to restart this process. Do not share these tokens – they are secret and unique. Step 2: Find the Client ID and Token Refresh EndpointThese details are required to refresh your tokens. * Get the Client ID and Token Endpoint URL from the OAuth2.0 API Tokens page. These are located right below the Generate Button in AAC. Example: * Construct the Refresh Endpoint URL Append /token to the “Token Endpoint URL” value to get the refresh endpoint (if it does not already include /token: * Example: https://pingauth.alteryxcloud.com/as/token. Step 3: Refresh Tokens Using One of the MethodsChoose a method (Postman, Curl, or Python): Postman * Create a new project, and switch the method from GET to POST. * Set the URL to https://pingauth.alteryxcloud.com/as/token. * In the Body tab, select x-www-form-urlencoded with these fields: * grant_type: refresh_token * refresh_token: Paste your current refresh token. * client_id: Paste your client ID. It should look something like this: * Click Send. The response contains new tokens. Save these in a credential store or secure place of your choosing. If you lose these tokens you will have to restart this process. Do not share these tokens – they are secret and unique. Pro Tip: I like to save this Postman request for when I want to refresh my tokens (to come later). CurlRun a command similar to this: curl --location 'https://pingauth.alteryxcloud.com/as/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=refresh_token' \ --data-urlencode 'refresh_token=' \ --data-urlencode 'client_id=' Replace and with your values. The response contains new tokens.Python Use this script as a base: import urllib.parse import urllib.request REFRESH_URL = "https://pingauth.alteryxcloud.com/as/token" OAUTH_CLIENT_ID = "" REFRESH_TOKEN = "" def refresh_tokens(refresh_token): headers = { "Content-Type": "application/x-www-form-urlencoded" } body = { "grant_type": "refresh_token", "refresh_token": refresh_token, "client_id": OAUTH_CLIENT_ID } # URL encode the body for the refresh request encoded_body = urllib.parse.urlencode(body).encode() # Make the refresh request request = urllib.request.Request(REFRESH_URL, data=encoded_body, method='POST') with urllib.request.urlopen(request) as response: return json.load(response) new_tokens = refresh_tokens(REFRESH_TOKEN) print("New Access Token:", new_tokens['access_token']) print("New Refresh Token:", new_tokens['refresh_token']) Important Notes * Refresh Token Rotation: A new refresh token is issued each time you refresh tokens. Always replace your old tokens with the new ones. * Security: Store tokens securely and avoid exposing them. How to use the access token you just generated to make an API call Once you have your new access token and refresh token, you’ll use the access token to make API calls. Here’s how to proceed: Refresh Token Use * The refresh token is NOT used for direct API calls. * Save it securely for later to refresh your tokens when the current access token expires. Steps to Make an API Call Using the New Access Token Using Postman * Create a New Request: * Open Postman and select New * Set the HTTP method (e.g., GET, POST) and enter the full API URL. * Add Authorization: * Go to the Authorization tab. * From the Auth Type dropdown, select Bearer Token. * Paste your new access token into the field. * Depending on the API, there may be other required Headers. * Add a Request Body (if required): * Go to the Body tab and include the necessary payload in raw or form-data format. * Send the Request: * Click the Send button. * If the token is valid and the request is correct, you’ll get a response. Using CurlYou can also use curl in the terminal to make an API call. Here's an example: curl --location --request GET 'https://api.us1.alteryxcloud.com/iam/v1/workspaces/current' \ --header 'Authorization: Bearer ' Replace with the actual token. Using Python If you're scripting, you can use Python to call the API: import urllib.request import json # API endpoint API_URL = "https://api.us1.alteryxcloud.com/iam/v1/workspaces/current" # New access token ACCESS_TOKEN = "" # Headers headers = { "Authorization": f"Bearer {ACCESS_TOKEN}", "Content-Type": "application/json" } # Make the GET request request = urllib.request.Request(API_URL, headers=headers) with urllib.request.urlopen(request) as response: print(json.load(response)) Handling Expired Tokens * If you receive a 401 Unauthorized error, your access token may have expired. * Use your refresh token to obtain a new access token and try the request again.

oluetkeh · Answer

I'm using the Postman method shown above. However, managing the new refresh token after each request became tedious. So I went ahead and updated my setup and leveraged a Post-response script.

The overall process makes a call to refresh the token, then checks the results and upon success uses the response to update its values. It requires the use of Postman environment variables.

The variables needed are shown in this snippet below and are the same as described in the post; I used different names e.g.  AACP_TOKEN_ISSUER is called "Token Endpoint URL" above.

refresh request

you can name those variables to your liking, you just need to be consistent between request and script.

post-request script

here's the code for the script so you can copy/paste:

if (pm.response.code == 200) {
    console.info('response', pm.response, pm)
    let jsonData = pm.response.json();
    console.info('parsed response from ping', jsonData);
    access_token = jsonData.access_token;
    if (access_token) {
        pm.environment.set("AACP_ACCESS_TOKEN", access_token)
    } else {
        console.log("access_token not found", jsonData)
    }

refresh_token = jsonData.refresh_token
    if (refresh_token) {
        pm.environment.set("AACP_REFRESH_TOKEN", refresh_token)
    } else {
        console.warn("refresh_token not found", jsonData)
    }
} else {
    console.warn('response status code', pm.response.code, pm.response)
}