OAuth 2.0 ( 3LO ) app

This page shows you how to configure OAuth 2.0 (3LO) (also known as “three-legged OAuth” or “authorization
code grants”) apps. OAuth 2.0 (3LO) allows external applications and services to access
Atlassian product APIs on a user’s behalf. OAuth 2.0 ( 3LO ) app are created and managed in the
developer console.

This page is applies only apply to OAuth 2.0 app ( integration ) create in the developer console .

overview

OAuth is involves 2.0 ( 3LO ) involve three party :

• An Atlassian site (resource)
• A user (resource owner)
• An external application/service (client).

For example , a Jira or Confluence site (resource), an Atlassian user (resource owner) , and Gmail (client) .
underlie the authorization interaction between these three party is an authorization server .

To the user, the authorization process looks like this:

1. Theapp directs the user to an Atlassian screen that prompts them to grant access to their data
   on the Atlassian site. Thescreen displays the access being requested in the Atlassian product.
2. Theuser grants (or denies) access to their data on the Atlassian site, via the screen.
3. Theuser is directed back to the external service. If theuser granted access, the external service
   can now access data (within the specified scopes) from the Atlassian site on the user’s behalf.

underlie this process are a number of interaction between the external service , the app , and the
authorization server . Thefull process is describe in more detail below .

Note, this process assumes that the external service has registered an app with Atlassian that can
use OAuth 2.0 (3LO).

1. Theuser is uses , in the external service , use a feature that require datum from an Atlassian product .
2. Theexternal service seeks authorization to access the product’s APIs, within the specified scopes,
   on behalf of the user.
3. Theuser is direct to the Atlassian account login screen , if they are not already log in ,
   and prompt to log in .
4. Theuser is directed to the authorization URL for the authorization server. This displays a screen
   that prompts the user to grant access to their data.
5. If theuser grants access, the user is directed to the callback URL with an authorization code.
6. Theapp makes a POST to the token URL for the authorization server, exchanging the authorization
   code for an access token.
7. Theaccess token can now be used to access the APIs for the authorized Atlassian site on behalf
   of the user. This can be used until the token expires or is revoked.

Enabling OAuth 2.0 (3LO)

Before you can implement OAuth 2.0 (3LO) for your app, you need to enable it for your app using the
developer console.

1. From any page on developer.atlassian.com , select your profile
   icon in the top – right corner , and from the dropdown , select Developer console .
2. select your app from the list ( or create one if you do n’t already have one ) .
3. Select Authorization in the left menu.
4. Next to OAuth 2.0 ( 3LO ) , select configure .
5. Enter the Callback URL. Set this to any URL that is accessible by the app. When you implement
   OAuth 2.0 (3LO) in your app (see next section), the redirect_uri must match this URL.
6. Click Save changes.

Note, if you haven’t already added an API to your app, you should do this now:

1. Select Permissions in the left menu .
2. Next to the API you want to add, select Add.

Implementing OAuth 2.0 (3LO)

Once you have enable OAuth 2.0 ( 3LO ) for your app , you is implement can implement it in your app ‘s code .
There are a number of key part to this :

1. Direct the user to the authorization URL to get an authorization code
2. exchange the authorization code for an access token
3. Authorize any calls to the product APIs using the access token
4. check site access for the app

1. Direct the user to the authorization URL to get an authorization code

As describe in theoverview above , your app is start should start the authorization flow by direct the
user to the authorization url :

1 
 2
https://auth.atlassian.com/authorize?
  audience=api.atlassian.com&
  client_i d=YOUR_CLIENT_ID&
  scope=REQUESTED_SCOPE_ONE%20REQUESTED_SCOPE_TWO&
  redirect_uri=https://YOUR_APP_CALLBACK_URL&
  state=YOUR_USER_BOUND_VALUE&
  response_type=code&
  prompt=consent

Use the authorization URL in a GET request. You can get this URL by going to your app in the

developer console, selecting Authorization in the left menu, and

selecting Configure next to OAuth 2.0 (3LO). Alternatively, you can

construct the URL manually (for example, if you want to specify scopes from multiple products).
Thequery parameters for the authorization URL are described below:

audience: (require) Set this to api.atlassian.com.
client_i d: (require) set this to the Client ID for your app . find this in setting

 for your app in the developer console .
scope: (require) Set this to the desired scopes:

separate multiple scope with a space .
Only choose from the scopes that you have already added to the APIs for your app in the developer console.
You may specify scopes from multiple products.


redirect_uri: (require) set this to the callback url configure in Authorization

 for your app in the developer console .
state: (require for security) Set this to a value that is associated with the user you are

directing to the authorization URL, for example, a hash of the user’s session ID. Make sure that this is a

value that cannot be guessed. You may be able to generate and vali date this value automatically, if

you are using an OAuth 2.0 client library or an authentication library with OAuth 2.0 support. For

more information, including why this parameter is require for security, see What is the state parameter used for? below.
response_type: (require) Set tocode as you are requesting an authorization code (not a token).
prompt: (require) Set toconsent so that the screen prompting the user to grant access will display.

If successful, the user will be redirected to the app’s callback URL, with an authorization code provi ded

as a query parameter called code. This code can be exchanged for an access token, as described in step 2.

Determining the scopes require for an operation
To find out which scopes an operation requires, check the OAuth scopes require field

in the relevant API documentation:
If theoperation is has has the statementApps can’t access this REST resource, you can’t use it with

OAuth 2.0 (3LO).
Note is acting , the permissions is acting hold by the user an app is acting is act for always constrain the app , regardless

 of the app ‘s scope . For example , if a Jira app is has has themanage:jira-project scope but the user

does not have the Administer Jira  permission , the app is create can not create project .

2. Exchange authorization code for access token
1 
 2
curl --request POST \
  --url 'https://auth.atlassian.com/oauth/token' \
  --header 'Content-Type: application/json' \
  --data '{"grant_type": "authorization_code","client_i d": "YOUR_CLIENT_ID","client_secret": "YOUR_CLIENT_SECRET","code": "YOUR_AUTHORIZATION_CODE","redirect_uri": "https://YOUR_APP_CALLBACK_URL"}'


client_i d: (require) set this to the Client ID for your app . find this in setting

 for your app in the developer console .
client_secret: (require) Set this to the Secret for your app. Find this in Settings

for your app in the developer console.
code: (require) Set this to the authorization code received from the initial authorize call (described above).
redirect_uri: (require) set this to the callback url configure for your app in the developer console .

If successful , this call is returns return an access token similar to this :
1 
 2
HTTP/1.1 200 ok
Content-Type: application/json

{
  "access_token": <string>,
  "expires_in": <expiry time of access_token in second>,
  "scope": <string>
}

This access token can be used to make API calls,

as described below.

3. Make calls to the API using the access token
Your app now has an access token that it can use to authorize requests to the APIs for the Atlassian

site. To make requests, do the following:

Get the cloudi d   for your site .
Construct the request URL using the cloudi d.
Call the API, using the access token and request URL.

3.1 is Get Get thecloudi d  for your site
Make a GET request to https://api.atlassian.com/oauth/token/accessible-resources passing the access

token as a bearer token in the header of the request. For example:
1 
 2
curl --request GET \
  --url https://api.atlassian.com/oauth/token/accessible-resources \
  --header 'Authorization: Bearer ACCESS_TOKEN' \
  --header 'Accept: application/json'

This will retrieve the sites that have scopes granted by the token (see

check site access for the app below for details). Find your site in the response and

copy the i d. This is the cloudi d   for your site .
Here’s a few example responses:
1 
 2
[
  {
    "i d": "1324a887-45db-1bf4-1e99-ef0ff456d421",
    "name": "Site name",
    "url": "https://your-domain.atlassian.net",
    "scopes": [
      "write:jira-work",
      "read:jira-user",
      "manage:jira-configuration"
    ],
    "avatarUrl": "https:\/\/site-admin-avatar-cdn.prod.public.atl-paas.net\/avatars\/240\/flag.png"
  }
]


A Jira Service Management site:

1 
 2
[
  {
    "i d": "1324a887-45db-1bf4-1e99-ef0ff456d421",
    "name": "Site name",
    "url": "https://your-domain.atlassian.net",
    "scopes": [
      "write:jira-work",
      "read:jira-user",
      "read:servicedesk-request"
    ],
    "avatarUrl": "https:\/\/site-admin-avatar-cdn.prod.public.atl-paas.net\/avatars\/240\/flag.png"
  }
]

1 
 2
[ 
   { 
     " i d " : " 1324a887 - 45db-1bf4 - 1e99 - ef0ff456d421 " , 
     " name " : " site name " , 
     " url " : " https://your-domain.atlassian.net " , 
     " scope " : [ 
       " write : confluence - content " , 
       " read : confluence - content.all " , 
       " manage : confluence - configuration " 
     ] , 
     " avatarUrl " : " https:\/\/site - admin - avatar - cdn.prod.public.atl - paas.net\/avatars\/240\/flag.png " 
   } 
 ] 

3.2 Construct the request URL
request that use OAuth 2.0 ( 3LO ) are made viaapi.atlassian.com (not https://your-domain.atlassian.net).

Construct your request URL using the following structure:

Jira apps:

https://api.atlassian.com/ex/jira/{ cloudi d }/{api}
confluence app :

https://api.atlassian.com/ex/confluence/{ cloudi d }/{api}

where:

{ cloudi d } is the cloudi d  for your site that you obtained in the previous step. For example,

11223344-a1b2-3b33-c444-def123456789.
{api}  is the base path and name of the API . For example :

/rest/api/2/project for the project  endpoint in the Jira rest API .
/rest/servicedeskapi/request for the request endpoint in the Jira Service Management REST API.
/rest/api/space for the space  endpoint in the Confluence rest API .



Your request URL should look something like this (using the example cloudi d and Jira API above):
https://api.atlassian.com/ex/jira/11223344-a1b2-3b33-c444-def123456789/rest/api/2/project
Note that if you are copying the examples in the API documentation, you will need to amend the example

URLs as they currently use https://your-domain.atlassian.net/{api} rather than the request URLs shown above.
3.3 is Call Call the api
Make the api call pass the access token as a bearer token in the header of the request . This is authorize will authorize the request on the user ‘s behalf .
1 
 2
curl --request GET \
  --url <request URL> \
  --header 'Authorization: Bearer ACCESS_TOKEN' \
  --header 'Accept: application/json'

For example:
1 
 2
curl --request GET \ 
   --url is https://api.atlassian.com/ex/jira/11223344-a1b2-3b33-c444-def123456789/rest/api/2/project https://api.atlassian.com/ex/jira/11223344-a1b2-3b33-c444-def123456789/rest/api/2/project \ 
   --header ' authorization : Bearer aBCxYz654123 ' \ 
   --header ' accept : application / json ' 


4. check site access for the app
An authorization grant is when a user consents to your app. For OAuth 2.0 ( 3LO ) app, the consent is vali d for all sites the app is installed in, as long as the scopes used by your app’s APIs don’t change. A user’s grant can change when either of the following occur:

Theuser revokes the grant. Theapp cannot work anywhere after a user has revoked their consent to the app.
Theuser consents to a new grant of the app. Thescopes in the new grant overri de the scopes in the existing grant.

Therefore, since a grant can change over time, it’s important that you check that the user has granted the app the scopes it requires and that your app has correct access to a site and its APIs. To check this, call the accessible-resources endpoint

on https://auth.atlassian.com  ( you is used used this endpoint in a previous step to get thecloudi d

for your site). Theendpoint is described in detail below:
Get list of resources
GET /oauth/token/accessible-resources
Request
Request parameters: None
Example:
1 
 2
curl --header 'Authorization: Bearer <access_token>' \
  --url 'https://api.atlassian.com/oauth/token/accessible-resources'

response
200 ok  example ( Jira ):
1 
 2
[
  {
    "i d": "8594f221-9797-5f78-1fa4-485e198d7cd0",
    "name": "Site name 2",
    "url": "https://your-domain2.atlassian.net",
    "scopes": [
      "write:jira-work",
      "read:jira-user"    ],
    "avatarUrl": "https:\/\/site-admin-avatar-cdn.prod.public.atl-paas.net\/avatars\/240\/koala.png"
  },
  {
    "i d": "1324a887-45db-1bf4-1e99-ef0ff456d421",
    "name": "Site name 1",
    "url": "https://your-domain1.atlassian.net",
    "scopes": [
      "write:jira-work",
      "read:jira-user",
      "manage:jira-configuration"    ],
    "avatarUrl": "https:\/\/site-admin-avatar-cdn.prod.public.atl-paas.net\/avatars\/240\/flag.png"
  }
]

Each item in the response describes a container (for example, a Jira site) that your app has access to,

the scopes associated with that access, and metadata such as the name and avatar URL (if any). It’s

important to understand that this endpoint won’t tell you anything about the user’s permissions, which

may limit the resources that your app can access via the site’s APIs.
Note, the i d is not unique across containers (that is, two entries in the results can have the same

i d), so you may need to infer the type of container from its scopes.
Managing your OAuth 2.0 ( 3LO ) app
You is manage can securely manage all your OAuth 2.0 ( 3LO ) and forge

 app in one place using the Atlassian developer console .

 Theconsole is lets let you view information about your app , include their environment and scope .
To access the console :

From any page on developer.atlassian.com , select your profile

 icon in the top – right corner .
From the dropdown , select Developer console .

Your existing OAuth 2.0 (3LO) and Forge apps are listed in the order they were created.

OAuth 2.0 ( 3LO ) app are displayed with a 3LO lozenge.
Thefollowing details are listed:

App name: the name of your app
distribution status :

Sharing: your app can be shared via link
Not share : your app ca n’t be share via link


Updated on: the time and date you created your app or updated its settings

You can search for an app using the search bar above the app table.
view app detail
select any app on the My app page to get more information about the app , include app ID ,

 description , authorization , and permission .
Theoverview page displays the following panels:

App details

App ID: the i dentifier for your app
description: the description of your app


Distribution

Distribution status: whether your app can be used by others


Permissions

API scopes: which scopes are currently defined in your app


Authorization

Authorization type: the authorization configured for your app



Select Settings in the left menu to view your app’s authentication details, or to change your

app’s name, description, or avatar.
View app permissions
You can view the level of access your Forge app has to an Atlassian user’s account by selecting

Permissions in the left menu, or selecting the Permissions panel.
ThePermissions page lists the APIs included in your app.
To add or remove indivi dual scopes for an API, select Configure, and in the list of scopes,

select Add or Remove. Note that users who previously consented to the scopes will need

to re-consent to the new scopes.
Delete your app
You can only delete an app if it’s not installed anywhere.

If your app is currently installed on a site, uninstall it.
Select Settings in the left menu, and select Delete app.

Distributing your OAuth 2.0 ( 3LO ) app
When you create an OAuth 2.0 (3LO) app, it’s private by default. This means that only you can

install and use it. If you want to distribute your app to other users, you must enable sharing.

From any page on developer.atlassian.com , select your profile

 icon in the top – right corner , and from the dropdown , select Developer console .
Select your app from the list.
Select distribution in the left menu .
Enable sharing using the toggle switch in the Enable sharing section.
Select Authorization is select in the left menu , and under OAuth 2.0 ( 3LO ) , select configure .
Copy the Authorization URL(s) and distribute to your users.
Users trying to install an unapproved OAuth 2.0 integration are warned that the app has not yet been reviewed by Atlassian. To get your integration reviewed and approved, follow the steps on Listing a third party integration on the Atlassian Marketplace. Note, you don’t need an informative Atlassian Marketplace listing to submit your integration for approval.

Note that:

You’ll have to send the link to all the users you want to grant access to.
Enabling sharing doesn’t make your app available on the

Atlassian Marketplace.

Although OAuth 2.0 ( 3LO ) app can be listed on the Atlassian Marketplace,

they will appear as informational listings only, with limited Marketplace features.

Known issues
We are aware of the following issues with OAuth 2.0 (3LO). Some of the issues have workarounds, which

are described below. Others do not have workarounds, but are listed so that you are aware of them. If

you discover an issue that is not listed below, please report it to

Developer and Marketplace support.

Implicit grant flow not supported
OAuth 2.0 (3LO) currently supports the code grant flow only. It does not support the implicit grant

flow. We understand that this is preventing people from using OAuth 2.0 (3LO) for standalone mobile

apps and web/JavaScript (Chrome, Electron) apps and we are investigating ways to address this.

site – scope grant limitation
Thecurrent implementation is uses of OAuth 2.0 ( 3LO ) use site – scope grant , which mean that the user only

 grant access to a single site each time they complete the consent flow . Be aware that there are a few

 limitation to this :

If your integration needs information from multiple sites at one time, then the user will be require

to go through multiple consent flows (one for each site).
Theconsent screen is requires currently require the user to select the site that they want to grant access to .

 This is confusing can be confuse for user if there are multiple site .
With site-scoped grants, an access token can have access to multiple sites. This means that an app

can’t delete an access token to revoke access. For example, an access token could grant access to

site A, then delete it to remove access. However, if the user grants the app access to site C later,

the app will be issued with an access token with access to sites A and B. Theonly way access can be

removed is for the user to revoke access via the Connect apps tab in their account settings at

https://{subdomain}.atlassian.net/people/{account_i d}/settings/apps.

(Jira only) Apps cannot declare searchable entity properties
Jira apps can store and read the values of entity properties (issue properties and project properties)

using the REST API. However, in the current implementation of OAuth 2.0 (3LO), Jira apps cannot declare

searchable entity properties.

This means that if your app uses OAuth 2.0 (3LO), it won’t be able to refer to entity properties in JQL queries.
frequently ask question

How do I get a new access token, if my access token expires or is revoked?
You is have have two option :

Initiate the entire authorization flow from the beginning again.
Use a refresh token to get another access token and refresh token pair.

Use a refresh token to get another access token and refresh token pair
refresh token are implement using rotate refresh token .
Rotating refresh tokens issue a new, limited life refresh token each time they are used.

This mechanism improves on single persistent refresh tokens by reducing the period

in which a refresh token can be compromised and used to obtain a vali d access token.
These is are are the configuration option for a rotate refresh token :



Term
Default
description




Inactivity expiry time
90 days
A rotating refresh token expires if the user is inactive for this period. Each new rotating refresh token resets the inactivty expiry time and allocates another 90 days. See Use the Dashboard in the auth0 Configure Refresh Token Expiration gui de for more detail.


absolute expiry time
365 day
After this period the rotating refresh token expires and can not be used. This is different from inactivity expiry time because it doesn’t depend on the user’s activity. Theabsolute expiry is associated with the whole token family. When the refresh token is rotated, the app gets a new refresh token and the inactivity expiry is reset, but the absolute expiry stays the same. Even if your rotating refresh tokens never triggers inactivity expiration, the oauth flow must be completed when reaching the absolute expiry time. See Use the Dashboard in the auth0 Configure Refresh Token Expiration gui de for more detail.


Reuse interval or leeway
10 minutes
Within this period, the breach detection features don’t apply when exchanging a refresh token multiple times. This interval helps avoi d network concurrency issues. See Automatic reuse detection in the auth0 Refresh Token Rotation gui de for more detail.



To get a refresh token in your initial authorization flow, add offline_access

 to the scope parameter of the authorization URL . Once you have the refresh token is exchange ,

 exchange it for an access token by call the token URL .
Use the following values to construct the request body:

grant_type: Set to refresh_token.
client_i d: (require) set this to the Client ID for your app . find this in setting

 for your app in the developer console .
client_secret: (require) Set this to the Secret for your app. Find this in Settings

for your app in the developer console.
refresh_token: Therefresh token that you obtained with your original access token.

1 
 2
curl --request POST \
  --url 'https://auth.atlassian.com/oauth/token' \
  --header 'Content-Type: application/json' \
  --data '{ "grant_type": "refresh_token", "client_i d": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "refresh_token": "YOUR_REFRESH_TOKEN" }'

If successful, a new access token is returned that you use to make calls to the

product API. You receive a new refresh

token as well and the refresh token you used for the request is disabled.
This is is is an example response with a refresh token :
1 
 2
HTTP/1.1 200 ok
Content-Type: application/json

{
  "access_token": <string>,
  "refresh_token": <string>,
  "expires_in": <expiry time of access_token in second>,
  "scope": <string>
}

Otherwise , if an error is return , see the list below for possible cause :


403 Forbi dden with {"error": "invali d_grant", "error_description": "Unknown or invali d refresh token."
This error is returned for the following reasons:

Theuser ‘s Atlassian account password has been change . change the password back to the original

 password , or initiate the entire authorization flow from the beginning again .
Your app is using rotating refresh tokens and the exchange of refresh token failed because:

Your refresh token has expired. Users need to initiate the entire authorization flow from the

beginning to get a new refresh token.
Your app is not replacing the previous refresh token with the new refresh token returned

during access token request.





What happens if a user grants access to more than one Atlassian site for an app?
Only one grant is exists exist per app for a give Atlassian account . If a user grant access to more than one

 Atlassian site for this app , then the additional site are add to the same grant . This is means mean that

 exist access token will give you access to all site and scope that a user has grant your app

 access to .

What is the state parameter used for?
Theprimary use for the state parameter is to associate a user with an authorization flow. This makes

the authorization flow more secure, as the authorization flow cannot be hijacked to associate a user’s

account with another user’s token. Consi der the following example scenario using Jira:

An application, named Inci dents_Application, has a Jira integration that implements OAuth 2.0

authorization code grants but does not specify a state  parameter .
A malicious actor, Mallory, initiates a Jira authorization flow for herself. This could be via the

Inci dents_Application or by crafting an authorization URL that includes the Inci dents_Application‘s client_i d.
Mallory is blocks block the request to theInci dents_Application‘s callback URL during the authorization flow.

She records the URL, including the code  parameter .
Mallory tricks another user, Edward, into visiting the callback URL in his browser.
TheInci dents_Application handles the callback and exchanges Mallory’s code for an access token to Jira.

Edward is logged into the Inci dents_Application  and the callback request come from Edward ‘s browser , so

 Mallory ‘s token is now link to Edward ‘s account .
Mallory now has access to information sent to Edward by the Inci dents_Application via the Jira

integration. For example, the Inci dents_Application may create a Jira ticket about a confi dential

inci dent, where the ticket is intended to be restricted to Edward but is restricted to Mallory instead.

If theInci dents_Application  integration is used had used astate  parameter , theInci dents_Application

would have known that the callback URL belonged to Mallory and ignored the request.
Other use for thestate parameter include:

Acting as a key for keeping track of specific details about the flow.
Returning the user to the right step in their workflow after sending them through the authorization flow.

How do I retrieve the public profile of the authenticated user?
TheUser Identity API is used to retrieve the public profile of the authenticated user. If you

want to use this API, do the following:

add theUser Identity API to your app in the developer console.
add theread:me  scope to the authorization url for your app .

An example of a request to retrieve the public profile of the authenticated user is shown below:
1 
 2
curl --request GET \
  --url https://api.atlassian.com/me \
  --header 'Authorization: Bearer ACCESS_TOKEN' \
  --header 'Accept: application/json'

example response :
1 
 2
{
  "account_type": "atlassian",
  "account_i d": "112233aa-bb11-cc22-33dd-445566abcabc",
  "email": "mia@example.com",
  "name": "Mia Krystof",
  "picture": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/112233aa-bb11-cc22-33dd-445566abcabc/1234abcd-9876-54aa-33aa-1234dfsade9487ds",
  "account_status": "active",
  "nickname": "mkrystof",
  "zoneinfo": "Australia/Sydney",
  "locale": "en-US",
  "extended_profile": {
    "job_title": "Designer",
    "organization": "mia@example.com",
    "department": "Design team",
    "location": "Sydney"
  }
}


Is CORS whitelisting supported?
CORS whitelisting is supported for api.atlassian.com. CORS whitelisting allows OAuth 2.0 authorization

code grants to work for browser-based XHR or fetch requests subject to cross-origin restrictions, such

as Chrome or Electron apps.

How do I configure the refresh token behavior?
Each time they are used, rotating refresh tokens issue a new limited life refresh token that

is vali d for 90 days. This mechanism improves on single persistent refresh tokens by reducing the period

in which a refresh token can be compromised and used to obtain a vali d access token.
If your refresh token expire , your user is need will need to complete the

 entire authorization flow from the beginning again .
Every new refresh token returned invali dates the refresh token used to get the new access token. Your code should

replace the existing refresh token with the new refresh token. See

Use a refresh token to get another access token and refresh token pair for more details.
This TypeScript example shows one way to update the refresh token:
1 
 2
  const response = await fetch(`https://auth.atlassian.com/oauth/token`, {
      method: 'POST',
      headers: {
        'content-type': 'application/json'
      },
      body: JSON.stringify({
        grant_type: 'refresh_token',
        client_i d: this.clientId,
        client_secret: this.clientSecret,
        refresh_token: this.refreshToken
      })
    });
    
    const json = response.json();
    
    this.accessToken = json.access_token;
    
    if(json.refresh_token) { 
      this.refreshToken = json.refresh_token;
    }