5 Replies Latest reply: Nov 15, 2019 12:02 PM by wkm2a RSS

    Unable to complete 3-legged OAuth to fetch listings in test tier

    New Member

      We are working on a nodejs application for listing owners using the Homeaway API.

      We’re trying to request user-based tokens using the 3-legged API.

      According to the docs, we should be able to get the access token on requesting token with the “code” returned after “Step 1”. Unfortunately, the response does not have the access token but gives out an error ‘CLIENT_FORBIDDEN’.

      Here’s the snippet where we request the token:

      const headers = {"Content-Type": "application/x-www-form-urlencoded", "Authorization" : "Basic " + base64.encode(process.env.VRBO_CLIENT + ':' + process.env.VRBO_SECRET)}


        const url = `https://ws.homeaway.com/oauth/token`

        const options = {"method":"POST", "headers": headers, data: "code="+code}

        const response = await axios.request(url, options)

        return response.data


      Request (clientid/secret and token obfuscated):



           { Accept: 'application/json, text/plain, */*',

             'Content-Type': 'application/x-www-form-urlencoded',

             Authorization: 'Basic MGQ5*******#*@$*@#*$*@#$*@#*$@#*$*@#*%($*%$*^*$%($%(#$(%*#$(@#($@*#%$*@#($@(#$(#$(%#$)%#$(%#$(%)(@***WY0Nw==',

             'User-Agent': 'axios/0.17.1',

             'Content-Length': 52 },

        method: 'post',

        url: 'https://ws.homeaway.com/oauth/token',

        data: 'code=ST-882372-Ve(#$*@(#$*@#($*%(Cv-cas.homeaway.com'




        message: 'Clients in the Test Mode Tier can only request user-based tokens linked to the owner of the client.',

        errorCode: 'CLIENT_FORBIDDEN'


      The only account we’re using is the one associated with the API client and since its in test tier, logging in as a traveler.

      What's our recourse?