Environment Variables via curl

Hi, I am having trouble trying to send a curl request as in this example. Curl/HTTP requests are new to me but I am trying to learn. I am trying to send the following:

curl -X GET -L 'https://api.notefile.net/v1/projects/<projectUID>/devices/<deviceUID>/environment_variables' -H 'Authorization: Bearer <access_token>'

I get the following message back:

“err”: “The requested action was forbidden”,
“code”: 403,
“status”: “Forbidden”,
“request”: “/v1/projects/app:4460e3c4-7747-4283-90a7-6a7b636a572a/devices/dev:94deb82a9906/environment_variables”,
“details”: {
“body”: “”
“debug”: “denied access to identifier account:anonymous, resource blues:resources:app:1192:devices, actions read”

I was able to setup programmatic API access and retrieve an OAuth token. I made sure it was correct, and tried to generate a new one a few times to make sure it didn’t expire. I am trying to use an environment variable to control the sample rate of my sensors. My overall goal here is to update the environment variable from an Ubidots webhook trigger, enabling the end-user to change the sample rate from the Ubidots dashboard. The above attempt is a preliminary trial to verify the functionality of the curl before creating the Ubidots webhook.

P.S. I am confused as to how this would work, though, if the oauth token expires every 30 minutes. Does this mean Ubidots would need an updated token every 30 minutes? Is what I am trying to do feasible?


Just posting an update – I am successful with the curl requests when using a session token, but not when using OAuth token.

Hi @tsuzenski,

It seems to me like the error you’re getting is because you’re not passing in a correct token into the Authorization: Bearer <token> header. the error message thinks you’re an anonymous user which means that the token probably failed to be validated. To acquire a token, use a request like this:

curl -X POST
 -L 'https://notehub.io/oauth2/token'
 -H 'content-type: application/x-www-form-urlencoded'
 -d grant_type=client_credentials
 -d client_id=your-client-id
 -d client_secret=your-client-secret

The resulting JSON response should contain a token that you can then pass to the Authorization header.

if the oauth token expires every 30 minutes. Does this mean Ubidots would need an updated token every 30 minutes?

Yes, that’s right. This is a security feature so that if any token is compromised, it will only be valid to a malicious third-party for 30 minutes. Of course, this does require more client-side code to manage and refresh tokens when they expire. The X-Session-Token does not expire, though.

1 Like


Thank you! I had successfully acquired a token with that request but must not have placed it in the header properly. I replaced “token” (along with the <>) with the token from the JSON response, and keeping “Authorization: Bearer”. I am figuring that was incorrect.

The session token seems to be a better solution for me right now until I can develop the code to refresh the OAuth tokens.

The angle brackets < and > should be dropped. They are used to draw attention to a variable you would replace with the actual value.

If you are continuing to have difficulty, then paste your command here with either a partial auth token (e.g. a24fe92xxxxxxxxxxxxxxx) or no token at all.

Hi Zak!

I did drop the angle brackets; sorry for phrasing it poorly. Here is one of the commands I am trying:

curl -X GET -L 'https://api.notefile.net/v1/projects/app:4460e3c4-7747-4283-90a7-6a7b636a572a/environment_variables' -H 'Authorization: Bearer "TFmJO_xxxxxxxxxxx"'

Which returns:

    "err": "The requested action was forbidden",
    "code": 403,
    "status": "Forbidden",
    "request": "/v1/projects/app:4460e3c4-7747-4283-90a7-6a7b636a572a/environment_variables",
    "details": {
        "body": ""
    "debug": "denied access to identifier account:anonymous, resource blues:resources:app:1192:settings, actions read"

I am assuming I am not formatting the token header properly?

I also tried the command without quotes around the token, and it returned no content and a 403 status. I retrieved another auth token and tried this request again right after to make sure the token was not expired.

@tsuzenski, try not including the double quotes around the token


I did try that; no content is returned except a 403 status. Here is the raw output:

HTTP/1.1 403 Forbidden
Date: Wed, 06 Sep 2023 16:59:27 GMT
Content-Length: 0
Connection: keep-alive
Vary: Origin

When you generated the token, did you use the client-id of “c1922…” or “a0ad9…”?

Oh no, I was mixing up 2 of my projects… oops… Such a dumb mistake.

The client ID I was using was “a0ad9…” which was for the wrong project… Using “c1922…” is successful. Thank you so much for your help!