Why is my API call to TDA's API not returning a refresh token?

Question

so I've followed the steps here to the letter: https://www.reddit.com/r/algotrading/comments/c81vzq/td_ameritrade_api_access_2019_guide/ in an effort to get a refresh token so that I can build a client app in C# to use TD Ameritrade's API, to conduct special stock and option screening and trading. I got to the end before reaching any trouble.

In the very last step in getting my refresh token, where you fill out the fields on https://developer.tdameritrade.com/authentication/apis/post/token-0, it fails, I just get the following response in an HTTP 401 error:

HTTP/1.1 401 Unauthorized
Access-Control-Allow-Headers: origin
Access-Control-Allow-Methods:
GET
Access-Control-Allow-Origin:
https://developer.tdameritrade.com
Access-Control-Max-Age: 3628800
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 31
Content-Security-Policy: frame-ancestors 'self'
Content-Type: application/json;charset=UTF-8
Date: Sat, 04 Apr 2020 16:07:04 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Application-Context: OAUTH_SERVICE:run:8080
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{
  "error": "invalid_grant"
}

What could the problem be? I've double and triple checked each step and the values in the text boxes (imaged below) to receive a refresh token, but I can't get it to work. The code and client ID are properly done, as well, based on the guide's steps - I double and triple checked.

I followed the steps in the Reddit guide, and from a linked guide by TDA Ameritrade themselves, to ensure I was putting the proper values in the proper fields, so I really have no clue what's going on.

Any help is appreciated.

Answer 1

"code" or "authorization code" is only a one-time pass-key that expires after 30 minutes. It allows you to get the "access token", which, although it has a similar name, seems to be different. So make sure you URL-decode the auth code reasonably rapidly, then get your first response correctly in before 30 minutes.

Also try on weekends, as TDAmeritrade's SMS gateway has been frustratingly slow recently during the GameStop raids, and it's possible their authentication handshaking could be having problems as well during trading hours.

Note that appending "@AMER.OAUTHAP" does not seem to be necessary for the client_id slot of the manual Post Access Token form.

Answer 2

I ran into this issue and the problem was I was url encoding the redirect uri in the console when requesting the refresh token. When I retried using a urldecoded uri it worked.

Answer 3

It turns out, http://localhost does not function for a redirect URI in TDA's API. You have to use https://127.0.0.1 in your app settings and then again in the many steps that follow when you try to generate your first refresh token.

So, that solves that.

Answer 4

Make sure that your redirect_uri matches exactly to that configured in your app.

If you're using a Windows machine, I'd suggest setting your callback URL to: http://localhost

Note that this is http rather than https. This will save you from having to setup IIS and configuring SSL on your workstation.

Also, something worth remembering is that the authorization code will only work once when creating your bearer and refresh token. On any subsequent attempts at sending that same authorization code, you'll get the "invalid_grant" error.

Answer 5

I had similar issue and it was resolved using below steps -

1. Update callback URI on custom app to https://127.0.0.1
2. Request new access code after updating the URI.
3. Access token is valid only for 30 mins. Hence, the refresh token should be requested ASAP.