When is access_token changed?

Twice I had my python programs failing because the access_token was changed. Updating tot the new access_token fixed the problem.
The problem is that I don’t know when/how/why the access_token was changed. I certainly didn’t do it manually in Build.
What I have done is put the Spark on another wifi network. Does that change the access_token? I wouldn’t hope so.

Can nobody shed some light here?

Thx Marcel

Hi @mjmare,

Right now the access token changes when you hit the login endpoint on the api, and this endpoint is also hit by the build site and the mobile apps – (if you login / logout). We have a task on our roadmap to correctly support multiple oauth clients and access tokens which should make those tokens a bit more stable. Personally I have my code login each time and use a fresh access token when possible, but that won’t be necessary later on.


Hi David

Just to clarify: by “the login endpoint” you mean logging into the mobile app? Or logging into a new wifi network?

This means that you have to be very careful logging in, since you run the risk of shutting out programs in the field?



Are we talking about the “Access Token” which is shown in the spark.io “Settings” screen? That token was established when I first registered my core and I have never reset it. I’ve logged in and logged out dozens of times, reset my core, changed access points, etc., and it has never changed. I use python scripts and a REST client with that token embedded and have never had a problem.

My understanding is that the Access Token (see below) would only change if it was Reset (or perhaps if the core is re-claimed.)

Dave O

@dorth I believe it is actually reset when you log in with the mobile app (iPhone/Android), but not from the web IDE. basically a new auth token is created every time you request one, and the mobile apps request one as part of login.

Hey All,

Sorry about any confusion, Zach is right. Essentially the mobile apps and your own apps hitting the api can request an access token by sending a POST to “/oauth/token” that looks something like:

          username: user,
          password: pass,
          grant_type: 'password'
          client_id: "your_client",
          client_secret: "your_client_secret_here"

That request causes the previous token to be invalidated, and a new one granted. Logging into the build site doesn’t cause the token to be invalidated because it’s special, and we recognized that would be really inconvenient. Down the road - the mobile apps, the build site, and your own custom apps will all get different client specific access tokens, so this won’t be an issue. For my code I “log in” using this POST method to make sure I always have a current token. Hope that helps. :slight_smile:


Sorry about that. I don’t use the mobile apps so wasn’t aware of this. Apologies for adding any confusion to the mix.

Dave O

Where is this documented? I don’t see it on http://docs.spark.io/#/api. TIA

I think you’re right in that it’s not well documented yet, but it certainly will be! I suspect we were waiting until the auth endpoints were a bit more well rounded, and we had some nice tools for managing clients / tokens. :slight_smile:

Is there a basic list of all the current end points and/or examples of JSON responses somewhere (other than what is currently documented)?

This happened to me yesterday and I thought I was going mad! The access token reset. Glad to see its ‘a feature’ rather than a bug, but some more documentation would be great to clear up confusion.

1 Like