Hello Vyshnu,
The Blue Button API does not allow the client secret to be in the URL parameter. This is per OAuth 2.0 best practices and is related to improved security. Instead, this should be passed via the body (e.g. form data) and/or headers part of the request.
Here is an example curl command doing token refresh, where data is sent in the body of the request (not as query parameters):
curl -s -w “%{http_code}” -X POST “${BB_SERVER}/v1/o/token/” \
-u “${BB_CLIENT_ID}:${BB_CLIENT_SECRET}” \
-d “grant_type=refresh_token&client_id=${BB_CLIENT_ID}&refresh_token=${REFRESH_TOKEN}”
Thank you for your post,
The Blue Button 2.0 Team
Kirsten Hansen, Product Manager
Blue Button 2.0