Skip to main content

Authentication Troubleshooting

This guide covers common authentication errors and their solutions. If you encounter an error not listed here, contact us via the API Support Help Center.

Common OAuth2 Errors

❌ Error: invalid_grant

Full error message:

{
  "error": "invalid_grant",
  "error_description": "User not validated"
}

Causes

  1. User/Channel not activated - Your channel has not been validated by Onebox
  2. Invalid channel_id - The channel_id provided does not exist
  3. Channel not associated - Channel exists but is not properly configured

Solutions

If you're setting up for the first time:

  1. Ensure you received credentials from Onebox technical team
  2. Verify you're using the correct channel_id provided in your credentials
  3. If you just received credentials, wait 5-10 minutes for system propagation

Still not working?

Contact us via the API Support Help Center with:

  • Your channel_id
  • Environment (test/production)
  • Full error response

❌ Error: Invalid JWT signature

Full error message:

{
  "code": "AUTH001",
  "message": "Invalid JWT signature"
}

Causes

  1. Wrong environment credentials - Using test credentials in production or vice versa
  2. Expired token - Token has exceeded 12-hour validity period
  3. Corrupted token - Token was modified or incorrectly stored

Solutions

1. Verify you're using the correct environment:

# Test Environment
OAuth URL: https://api.oneboxtds.net/oauth/token
API URL: https://api.oneboxtds.net/*

# Production Environment
OAuth URL: https://api.oneboxtds.com/oauth/token
API URL: https://api.oneboxtds.com/*

Rule: OAuth URL and API URL must match domains (.net or .com)

2. Check token expiration:

Tokens expire after 12 hours. Implement token refresh logic:

let token = null;
let tokenExpiry = null;

async function getValidToken() {
  // Check if token exists and is not expired
  if (token && tokenExpiry > Date.now()) {
    return token;
  }

  // Request new token
  const response = await fetch('https://api.oneboxtds.net/oauth/token', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({
      grant_type: 'client_credentials',
      channel_id: process.env.CHANNEL_ID,
      client_id: 'seller-channel-client',
      client_secret: process.env.CLIENT_SECRET
    })
  });

  const data = await response.json();
  token = data.access_token;
  // Set expiry with 5-minute buffer
  tokenExpiry = Date.now() + (data.expires_in - 300) * 1000;

  return token;
}

3. Verify token is not corrupted:

  • Do not manually modify the token string
  • Store token as-is from the OAuth response
  • Do not add/remove characters or whitespace
  • Check for proper URL encoding if passing in query parameters

❌ Error: Full authentication is required to access this resource

Full error message:

{
  "errorCode": "UNAUTHORIZED",
  "message": "Full authentication is required to access this resource",
  "httpCode": 401,
  "httpStatus": "UNAUTHORIZED"
}

Causes

  1. Missing Authorization header - Token not sent with request
  2. Wrong header format - Incorrect Bearer token format
  3. Token not obtained - Attempting API call before getting OAuth token

Solutions

1. Verify Authorization header is present:

CORRECT:

curl -X GET 'https://api.oneboxtds.net/catalog-api/v1/events' \
  -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...'

WRONG - Missing Authorization:

curl -X GET 'https://api.oneboxtds.net/catalog-api/v1/events'

2. Check Bearer token format:

const headers = {
  'Authorization': `Bearer ${accessToken}`,
  'Content-Type': 'application/json'
};

Key points:

  • Starts with Bearer (with space after)
  • Followed by the access_token from OAuth response
  • No quotes around the token

3. Ensure OAuth flow is completed first:

// Step 1: Get OAuth token (MUST be done first)
const tokenResponse = await fetch('https://api.oneboxtds.net/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    grant_type: 'client_credentials',
    channel_id: '123',
    client_id: 'seller-channel-client',
    client_secret: 'your-secret-here'
  })
});

const { access_token } = await tokenResponse.json();

// Step 2: Use token in API calls
const apiResponse = await fetch('https://api.oneboxtds.net/catalog-api/v1/events', {
  headers: {
    'Authorization': `Bearer ${access_token}`
  }
});

❌ Error: invalid_client

Full error message:

{
  "error": "invalid_client",
  "error_description": "Bad client credentials"
}

Causes

  1. Wrong client_secret - The API key/client_secret is incorrect
  2. Wrong client_id - Using incorrect client_id value
  3. Credentials from wrong environment - Using test credentials in production

Solutions

1. Verify client_id:

For Seller Channel Clients, client_id should always be:

seller-channel-client

For Access Control Clients, check Access Control Authentication.

2. Verify client_secret (API Key):

  • Check for typos or copy-paste errors
  • Ensure no extra whitespace before/after the secret
  • Verify you're using the secret from the correct environment
  • Confirm the secret was not regenerated (ask technical support if unsure)

3. Double-check environment:

# Test credentials → Test URLs
https://api.oneboxtds.net

# Production credentials → Production URLs
https://api.oneboxtds.com

❌ Error: HTTP 403 Forbidden

Full error message:

{
  "errorCode": "FORBIDDEN",
  "message": "Access denied",
  "httpCode": 403,
  "httpStatus": "FORBIDDEN"
}

Causes

  1. Insufficient permissions - Your channel does not have access to this resource
  2. Event not associated - Trying to access an event not assigned to your channel
  3. API endpoint not enabled - Your channel plan doesn't include this API

Solutions

1. Event not assigned to your channel:

If accessing a specific event and getting 403:

  • The event may not be published for your channel
  • The event may be assigned to different channels only
  • Contact the event promoter or API Support Help Center

2. API access not enabled:

Some APIs require specific permissions:

3. Production access before certification:

If getting 403 in production but test worked:

  • Ensure you completed certification successfully
  • Verify production credentials were provided
  • Check with the API Support Help Center

Testing Your Authentication

Quick Authentication Test

Use this curl command to test if your credentials work:

curl -X POST 'https://api.oneboxtds.net/oauth/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=client_credentials' \
  -d 'channel_id=YOUR_CHANNEL_ID' \
  -d 'client_id=seller-channel-client' \
  -d 'client_secret=YOUR_CLIENT_SECRET'

Expected response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_in": 43199,
  "scope": "api-channels-all api-gateway",
  "jti": "..."
}

Still Having Issues?

If you've tried the solutions above and still experiencing problems:

Before Contacting Support

Collect this information:

  1. Environment: Test or Production
  2. Channel ID: Your channel_id
  3. Error details: Full error response (JSON)
  4. Request details:
    • URL called
    • HTTP method
    • Headers sent (DO NOT include client_secret)
  5. Timestamp: When the error occurred

Contact Technical Support

🔗 Help Center: API Support Help Center

Open a ticket and include all information collected above.