REST API OAuth access token 401

I'm building a small app with Angular2 (hosted locally via lite-server), to summarise time captured in YouTrack, and show an overview thereof, so my team can see what they've captured time for in the last few days and on which projects. I've set up a Service on our Hub, marked it as trusted, set up my redirect_uri, and followed the OAuth 2.0 Login procedure for Implicit login. Here's my request:

GET: https://<my company><my app's service id from the hub>&redirect_uri=http://localhost:3000/dashboard/&scope=<my YouTrack service id>

Obviously substituting as necessary.


I am then taken to the YouTrack login page, I log in, and I get redirected back to my redirect_uri with an access token. The url looks something like this:

http://localhost:3000/dashboard/#access_token=<my access token>&scope=<my YouTrack service id>&token_type=Bearer&expires_in=3600

Just as expected, right?


Now I strip off the access token in my JS client app, and make a new request to YouTrack, as follows:

Accept: 'application/json'
Authorization: 'Bearer <my access token>'
GET: https://<my company>

And I get back a 401: Unauthorized.


But why? What am I doing wrong here?

I've also tried following this flow in my browser, and also from the popular Chrome App, PostMan, to no avail.

Comment actions Permalink
Official comment

Hello Jacques,

could you tell us the name of your instance? We would like to check the logs to find the reason of this error.

You can submit a request into our support system if you like it better.

Thank you!

Comment actions Permalink

Hi Liubov,

Our instance is

Our license is under "sapient". That is what you're referring to, correct?

Do you need the guid ID's for the services?


Comment actions Permalink

Hi Jackues,

Sure, license name is enough.

From what I can see from the log files requests are rejected due to token being malformed.

Would you mind recording a har file with the entire login sequence?

Comment actions Permalink

Hi guys,

Thanks, that pointed me in the right direction. As I was inspecting the traffic, I noticed the access_token was url-encoded, so I have to decode it first before sending it along - my mistake. Just having some trouble with JavaScript not wanting to decode it now. I've tried using decodeURIComponent(access_token), but it only works when debugging and running that code manually in my browser's JS-console, but it won't work otherwise. Do you have any advice?

Otherwise, thanks!

Comment actions Permalink

Hi Jacques.

It sounds really weird, because we use same decodeURIComponent in our Web products and it works absolutely OK. Could you try verbose logging your variables during this decoding?

Also, you could try any library which performs query string parsing easyly and reliable. For example, we've tested and it parses redirect URL pretty well.

Comment actions Permalink

Hi guys,

Thanks for the help. I managed to solve the problem by just nesting three calls to decodeURIComponent. I'll take a look at that qs package for future reference. 



Comment actions Permalink

Thanks Andrey, I'll be sure to take a look.


Please sign in to leave a comment.