Skip to content

Instantly share code, notes, and snippets.

Last active June 9, 2024 10:41
Show Gist options
  • Save LindaLawton/cff75182aac5fa42930a09f58b63a309 to your computer and use it in GitHub Desktop.
Save LindaLawton/cff75182aac5fa42930a09f58b63a309 to your computer and use it in GitHub Desktop.
Curl bash script for getting a Google Oauth2 Access token
# Tutorial
# YouTube video
# Client id from Google Developer console
# Client Secret from Google Developer console
# Scope this is a space seprated list of the scopes of access you are requesting.
# Authorization link. Place this in a browser and copy the code that is returned after you accept the scopes.[Application Client Id]&redirect_uri=[Scopes]&response_type=code
# Exchange Authorization code for an access token and a refresh token.
curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=" \
# Exchange a refresh token for a new access token.
curl \
--request POST \
--data 'client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token' \
Copy link

ChanakyaSrinivas commented Nov 29, 2017

Hi All,

How to authenticate gmail user for google calendar using curl statements?

can you please help me out

Copy link

LindaLawton commented Jul 17, 2018

Note it also works using

curl -d -d client_secret=uxpj6hx1H2N5BFqdnaNhIbie -d grant_type=authorization_code -d redirect_uri=urn:ietf:wg:oauth:2.0:oob -d code=4/AABvK4EPc__nckJBK9UGFIhhls_69SBAyidj8J_o3Zz5-VJN6nz54ew

now links to How to connect to the Google Drive API using cURL?

Copy link

Similar but with all the steps and macro replacements

Copy link

ghost commented Mar 26, 2019

Hi All,
I was tried the script, but I am getting the
"error": "invalid_grant",
"error_description": "Bad Request"

Then I changed the grant_type=client_credentials and tried. But again get the error that pasted below.

--request POST
--data "code=4/GQEg70zaxHAuRhhd6A1RB_6LIxwwBV8ak5xRP-nZIBTjuvt4g3fTWyU&"

"error": "unsupported_grant_type",
"error_description": "Invalid grant_type: client_credentials"

Also, tried LindaLawton's curl command that pasted below and getting the error.

curl -d -d client_secret=Sn3giYFFPMCNteKC--938xsP -d grant_type=authorization_code -d redirect_uri=urn:ietf:wg:oauth:2.0:oob -d code=4/GQEg70zaxHAuRhhd6A1RB_6LIxwwBV8ak5xRP-nZIBTjuvt4g3fTWyU

"error": "invalid_grant",
"error_description": "Bad Request"

Copy link

Got invalid_grant as well. The reason is that the given authorization code can only be used once.

If one performs a malformed request with the code, it is now lost and you should retrive a new one.

I am performing those steps using httpie, so it looks like:

http '' 'client_id==[Application Client Id]' redirect_uri==urn:ietf:wg:oauth:2.0:oob 'scope==[Scopes]' 'response_type==code'
# This is gonna give you a Redirect, you should open that location on your browser and accept it manually
http -f POST '' 'client_id=[Application Client Id]' client_secret=[Application Client Secret] 'code=[Authentcation code from authorization link]' grant_type=authorization_code redirect_uri=urn:ietf:wg:oauth:2.0:oob

Copy link

curl -d -d client_secret=uxpj6hx1H2N5BFqdnaNhIbie -d grant_type=authorization_code -d redirect_uri=urn:ietf:wg:oauth:2.0:oob -d code=4/AABvK4EPc__nckJBK9UGFIhhls_69SBAyidj8J_o3Zz5-VJN6nz54ew


Copy link

esmaeilpour commented Dec 24, 2020

@viniciusd 👍

Copy link

Doesn't work for me, returns "prepare_token_request() got multiple values for argument 'grant_type'.

Copy link

LindaLawton commented Apr 22, 2021

Copy link

No work for me, i see this error:

Se produjo un error en la autorización
Error 400: redirect_uri_mismatch
The redirect URI in the request, urn:ietf:wg:oauth:2.0:oob, can only be used by a Client ID for native application. It is not allowed for the WEB client type. You can create a Client ID for native application at
Más información

Copy link

LindaLawton commented Jan 18, 2022

@pilchita You created web application credentials. For this to work you need to create credentials for a native application. Try watching this How to create an installed client.

Or this Understanding Oauth2 with curl

Copy link

Forgive my English, I want to use curl to create email accounts in the domain of the company where I work and so I can automate this process. I have read the documentation and some things I do not understand, I will follow your instructions to make it work.

I think I am confused when specifying the type of application, should I indicate that it is a desktop application or a web application?


Copy link

its a desktop application . If you have google workspace you should be using a service account with another programming language. Using curl for that is going to make things harder for you.

Copy link

Linda thanks for your help.

Already create a service account and provide permissions ( //

"type": "service_account",
"project_id": "xxxxxxxxxx",
"private_key_id": "xxxxxxxxxxxxxxxxxx",
"private_key": ""
"client_email": "",
"client_id": "xxxxxxxxxxxxxxxxxxxxxxxxx",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""

With that information I can’t generate a token using curl, postman or httpie?


Copy link

LindaLawton commented Jan 18, 2022

I know for a fact that your not going to be able to do it with postman. Im not sure that curl is able to do the encoding needed if you manage to create a valid JWT with curl i would love to see the code. heres a link to the documentation

this looks like it might help to

maybe one of these if i have time i might give it a try.

Copy link

prashantrbs commented Jan 30, 2022

When i hit curl command i am getting below url

curl --request POST --data "code=4/0AX4XfWiu_WHUUrStOBoyK4G4Q6fhQqJXdETW9rKveglB5ik3K5HvjyQqHyA&scope="


"error": "invalid_request",
"error_description": "\nYou can\u0026#39;t sign in to this app because it doesn\u0026#39;t comply with Google\u0026#39;s OAuth 2.0 policy for keeping apps secure.\n\nYou can let the app developer know that this app doesn\u0026#39;t comply with one or more Google validation rules.\n "

Some one please help

Copy link

LindaLawton commented Mar 5, 2022

Google has recently made a change that breaks this script How to authorize a curl script to Google Oauth after OAuth out-of-band oob flow is deprecated?. I have a question up on Stack overflow to see if it can be fixed or not.

The solution was to use instead.

Copy link

I know for a fact that your not going to be able to do it with postman. Im not sure that curl is able to do the encoding needed if you manage to create a valid JWT with curl i would love to see the code. heres a link to the documentation

Here is a bash function to generate jwt, needs openssl to craete the payload data and jq to extract values from json. Wrote this function recently for some google drive stuff

# Generate rs256 jwt just with cli commands and shell
# Specifically for gdrive service accounts usage
# Globals: None
# Arguments: 2
#   ${1} = service account json file contents ( should contain client_email and private key )
#   ${2} = SCOPE for gdrive ( if not given then global var SCOPE is used )
# Result: print jwt
# Refrences:
#   Inspired by implementation by Will Haley at:
_generate_jwt() {
    declare json="${1:?Error: Give service json file contents}" \
        scope="${2:-${SCOPE}}" aud="" \
        header='{"alg":"RS256","typ":"JWT"}' \
        algo="256" scope payload_data iss exp iat rsa_secret signed_content sign

    if iss="$(jq .client_email <<< "${json}")" &&
        rsa_secret="$(jq .private_key <<< "${json}")"; then
        rsa_secret="$(printf "%b\n" "${rsa_secret}")"
        printf "Error: Invalid service account file.\n" && return 1

    iat="$(printf "%(%s)T\\n" "-1")" exp="$((iat + 3400))"

    b64enc() { : "$(openssl enc -base64 -A)" && : "${_//+/-}" && : "${_//\//_}" && printf "%s\n" "${_//=/}"; }


        signed_content="$(b64enc <<< "${header}").$(b64enc <<< "${payload_data}")"
        sign="$(printf %s "${signed_content}" | openssl dgst -binary -sha"${algo}" -sign <(printf '%s\n' "${rsa_secret}") | b64enc)"
    } || return 1

    printf '%s.%s\n' "${signed_content}" "${sign}"
    return 0

P.S: Also answered your post on stackoverflow

Copy link

jay commented Jan 16, 2023

The out-of-band method no longer works which is why the script is broken. I have some scripts that use the loopback method on desktop and are working as of this posting.

Copy link

Thanks @jay!

Copy link

LindaLawton commented Jan 17, 2023

@jay you can use instead of urn:ietf:wg:oauth:2.0:oob and it works fine.

Copy link

phlbnks commented Jan 31, 2023

Works perfectly - thanks!

Copy link

Why is there a consent screen for the first step to get the code? How would I possible click the Accept in a server environment? Could anyone please help me out if possible.

Copy link

@rohanmenon96 you wouldn't do this on a server you would do it on your local machine. A server doesn't have a browser window. Get a refresh token then store it and upload that to your server

Copy link

linhdv96 commented Jun 8, 2023

unrelated but it's worth the reference,
get access_token using google/apiclient library in Laravel(php8),
This access_token works with any project in 1 firebase

Copy link

aglines commented Jul 19, 2023

Found a good link, Goog OAUth2 Playground helped generate the refresh token with correct scope, etc. Doc here, link is in the doc:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment