Hi all,
we’re using Frappe’s Oauth2 integration from an application written in Ruby. The authorization flow is working great
config = Core::Configuration
uri = Addressable::URI.new(host: config.host, scheme: config.protocol)
OAuth2::Client.new(config.oauth_client_id, config.oauth_client_secret,
site: uri.to_s,
authorize_url: '/api/method/frappe.integrations.oauth2.authorize',
token_url: '/api/method/frappe.integrations.oauth2.get_token',
redirect_uri: config.oauth_callback
)
however since ~ December 2025, the refresh_token flow is not working anymore. The following code is used
new_access = access.refresh(
client_id: oauth_client_id,
headers: {'Authorization' => ''}
To not trigger authentication in Frappe, the authorization header is set to empty string.
Running the token refresh raises the following exception
User Guest does not have doctype access via role permission for document User
If I use the Authorization header issued by the authorization grant, Frappe return “invalid client“ exception.
Does anyone else here use Frappe as OAuth2 provider and could provide me with an example of a refresh_token flow? Language doesn’t matter.
Some more logging
I, [2026-01-14T07:36:33.578259 #196559] INFO – : request: POST https://example.com/api/method/frappe.integrations.oauth2.get_token
I, [2026-01-14T07:36:33.578328 #196559] INFO – : request: User-Agent: “Faraday v2.12.2”
Content-Type: “application/x-www-form-urlencoded”
Authorization: “”
I, [2026-01-14T07:36:33.578951 #196559] INFO – : request: {client_id: “RETRACTED”,
grant_type: “refresh_token”,
refresh_token: “RETRACTED”}I, [2026-01-14T07:36:33.669213 #196559] INFO – : response: Status 403