Web API Authentication

Gigi · November 8, 2024, 10:20am

Good morning, I would like to preface by saying that I have completed the process to activate the web API integrations and successfully received the secret key. As of now, I am following the OAuth2 flow to authenticate.

In the first step I create an authorization URL as follows:

"https://api.nuki.io/oauth/authorize?response_type=code&client_id={$client_id}&redirect_uri={$redirectUri}&scope={$scopes}"

After that, when I receive a call on my server, I manually copy the code that was sent as a parameter and execute this call with bash:

curl -X POST \
--header 'Content-Type: application/x-www-form-urlencoded' \
-d "client_id=$client_id&client_secret=$client_secret&grant_type=authorization_code&code=$code&redirect_uri=$redirect_uri" \
'https://api.nuki.io/oauth/token'

However, the response to the bash request is as follows, despite the client_id and the client_secret are the same present in the nuki’s web-api page:

{"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). passwords do not match"}

Additionally, here’s a sample of my codes:

code="ory_ab_..."
client_id="**_*-**..."
client_secret="****..."
scopes="account%20smartlock%20smartlock.create%20smartlock.auth%20smartlock.action%20smartlock.log%20smartlock.readOnly%20smartlock.config%20notification"

poonam.chavan · November 12, 2024, 3:00pm

Gigi:

curl -X POST \
--header 'Content-Type: application/x-www-form-urlencoded' \
-d "client_id=$client_id&client_secret=$client_secret&grant_type=authorization_code&code=$code&redirect_uri=$redirect_uri" \
'https://api.nuki.io/oauth/token'

Hello,

The error suggests that there is a problem with the credentials used to authenticate the client (usually a combination of client ID and client secret). Has your advanced API request been approved? Please validate the client ID & secret again.

Please try to use this curl command to request the access token:

curl -X POST -d ‘client_id=CLIENT_ID client_secret=CLIENT_SECRET grant_type=authorization_code code=AUTHORIZATION_CODE redirect_uri=CALLBACK_URL’ https://api.nuki.io/oauth/token

Gigi · November 14, 2024, 10:00am

Hello, yes, my advanced API request has been approved. When I request a token (not an AUTHORIZATION_CODE) with my credentials, the API response is correct, and I can use it to authenticate. So, I don’t think the credentials are the issue in this case.
To clarify any doubts: the credentials are the ones found on the page Nuki Web on the API page, in the “OAuth2 API key & URL” section. Specifically, client_id corresponds to “OAuth2 API key” and client_secret corresponds to “OAuth2 API Secret,” correct?

poonam.chavan · November 14, 2024, 4:00pm

Yes, that is correct. Then i’m afraid the curl command has some issue, could you please try to authorize via Postman or Swagger to validate this?

Gigi · November 20, 2024, 8:44am

Using Swagger (Nuki demo), I have to enter only the client_id, and it works. However, when I use Postman, I receive the same error as when sending data with PHP or Curl (bash).

poonam.chavan · November 28, 2024, 12:44pm

Hence it looks like a format error, hence I requested you to check with the command given in the documentation:

curl -X POST -d ‘client_id=CLIENT_ID client_secret=CLIENT_SECRET grant_type=authorization_code code=AUTHORIZATION_CODE redirect_uri=CALLBACK_URL’ https://api.nuki.io/oauth/token

Gigi · November 28, 2024, 2:10pm

Hello,
Sorry for the misunderstanding. I tried using the Bash command from the documentation, PHP (with cURL), Postman, and the demo on your site. However, everything except the demo gives me the same error {"error_description":"Invalid client credentials.","error":"invalid_client"}, even though the credential are correct.

Desk · March 27, 2025, 3:23pm

Have you found a solution ?

Desk · April 1, 2025, 9:30am

Hey ! I am following the OAuth2 flow. I implemented an authorization code link , authorized the client application , received the authorization code but I cannot receive the access token

When I try to exchange the authorization code to receive the access token, I get following error :

{
      error: 'invalid_client',
      error_description: 'Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). passwords do not match'
    }

It seems that my OAuth2 API Secret (client_secret) is not matching my Oauth2 API key (client_id).

Could you help me please ?

system · November 10, 2025, 7:36am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.