Skip to main content
You can succeed best and quickest by helping others to succeed. Join the conversation.
Showing results for 
Search instead for 
Did you mean: 
Contributor II
Contributor II

oauth token exchange dose not going well

I get an access token for oauth using the client secret on the server side and request to exchange it with a websocket access token for use with enigma.js, but I get an authorization error.

Is there something wrong with the program or recognition?




  const oauthQlik = new Qlik({
    authType: AuthType.OAuth2,
    host: process.env.TENANT_HOST,
    clientId: process.env.OAUTH_CLIENT_ID,
    clientSecret: [CLIENT_SECRET],
  const authProps = await oauthQlik.auth.authorize();

  const res = await (
    await'/oauth/token', {
      method: 'POST',
      body: JSON.stringify({
        subject_token: authProps.access_token,
        subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
        grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
        purpose: 'websocket',
        client_id: process.env.OAUTH_CLIENT_ID,

  return res.access_token;





    "errorType": "AuthorizationError",
    "errorMessage": "Failed to authorize using OAuth",
    "error": "Failed to authorize using OAuth",
    "statusText": "Unauthorized",
    "status": 401,
    "errors": [
            "title": "Unauthorized",
            "detail": "Cannot perform exchange with given Oauth configuration.",
            "code": "OAUTH-5",
            "status": "401"
    "traceId": "00000000000000007b3eae16dc8dd270",
    "name": "AuthorizationError",
    "stack": [
        "AuthorizationError: Failed to authorize using OAuth",
        "    at Qlik.RestClient.restClientInstance [as rest] (/var/task/node_modules/@qlik/sdk/dist/cjs/auth/restClient.js:137:17)",
        "    at processTicksAndRejections (internal/process/task_queues.js:95:5)",
        "    at async module.exports (/var/task/resolvers/query/getQlikAuthToken/index.js:26:5)",
        "    at async Runtime.exports.handler (/var/task/index.js:32:14)"


  • nodejs16 (AWS Lambda)
  • "@qlik/sdk": "^0.21.1"
  • "node-fetch": "^2.6.11"
Labels (2)
6 Replies

Hi  @sasaki507 could you please try with this approach? It leverages qlik/sdk auth methods for creating websocket url and use it with enigma.js.

Contributor II
Contributor II

Hi @alex_colombo ,

Thanks for the reply. We are building a front-end app in SPA and we don't want to go through the Qlik authentication flow to users logged into our app, so we want to request oauth-token-exchange on the server side to get only the access token.

Is this not possible with oauth's api?


So, you want to use a backend service for get access token from Qlik cloud and then use it into your SPA for embedding Qlik visualizations? If so, you should be in this situation right?
About your code, you can use Qlik/sdk or REST APIs. Use both does not make sense for me. If you want to have the access token use REST APis. Here the example on how to use it


hi @sasaki507 , I think what you're looking for is not to do an SPA, but a Web PKCE flow that can auth a user without having them authenticate to Qlik Cloud. This is something we're investigating. It involves enabling a backend OAuth client (the web application) to request tokens on behalf of users that it can pass to the front-end. One of the challenges with this approach is that the user must exist as a user on Qlik Cloud. At some point, at least once, the user has to authenticate to Qlik Cloud. There are other patterns we're looking at to support proxying requests on the backend but it's still early days. I'm interested in reading more about your use case as it can help inform our approach.

Contributor II
Contributor II

Yes, I want to get an access token on the server side and use it to connect a websocket session with enigma.js on the front end to embed the visualization.
Looking at the code in the sdk, in the `generateWebsocketUrl` function, after authentication, the exchange to the access token as `purpose: 'websocket'` and passing the access token in the websocket url parameter.
I tried exchanging tokens in the same way, but an error occurred, so I posted the question.

Contributor II
Contributor II

Hi @Jeffrey_Goldberg ,

Thanks for the reply.

Our use cases are as follows
We have a SPA web application and we want to share an embedded dashboard within that app without creating a Qlik account for our customers.
We were looking for a way to do that and found a way to pass an access token as a parameter to the websocket url in the qlik/sdk code. I was trying to do the same thing but was getting errors so I thought I was doing something wrong and posted the question.