refresh_token post data with query params?

Hi,

Awesome platform and I love the documentation & onboarding for new developers, kudos to all the hard work!

I am curious about the way to refresh an access_token described here:

https://developers.miro.com/reference/get-new-access-token-using-refresh-token

The docs suggest we should send a post request with our sensitive data as query params

https://api.miro.com/v1/oauth/token?grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN

However, adding sensitive data to query params is generally not good practice:

Query parameters are often logged: Web servers or proxy servers may log the URLs, including the query parameters, which could expose sensitive data in logs. This poses a risk if the logs are accessible to unauthorized individuals.
Query parameters may be stored in browser history: If the request is made through a web browser, the URL with the query parameters may be stored in the browser's history. If someone gains access to the browser or its history, they could retrieve the sensitive data.

Is there a way to send the data as the encrypted body method of a post request? I am trying but it does not seem possible. Is there a reason query params were chosen?

Hope this helps,

Thanks

Page 1 / 1

Hey @SeanGPT,

Thanks a lot for reaching out about this, and very glad to hear you’ve found our documentation and onboarding helpful so far!

As for your feedback regarding the usage of query params on our OAuth endpoint, it’s very fair feedback, and something I’ve raised with our team here to consider improving.

In the meantime, I should note that you should also send these details in the request body as key, value pairs using:

Content-Type: application/x-www-form-urlencoded

Here’s a quick cURL example for getting an access_token (you should be able to do the same for refresh_token flow):

curl --location --request POST 'https://api.miro.com/v1/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id={{clientId}}' \
--data-urlencode 'client_secret={{clientSecret}}' \
--data-urlencode 'code={{code}}' \
--data-urlencode 'redirect_uri={{redirectUri}}'

Thanks again for the feedback, and let me know if this helps in the meantime!

Best,
Will

Reply

Most Popular

Reply

Most Popular

How do I insert a simple checkbox toggle for task lists?

How do I reinstate zooming using my mouse wheel?

Could I import from PowerPoint to Miro?

Copy asset from one board to another

Export Selected Frames to PDF

Still Searching?

Sign up

Log in to the community

Scanning file for viruses.

This file cannot be downloaded