Postman Error - Refresh Token works, whoami doesn't

I followed Postman with Paul's directions to create my first API. I created environment variables to replace the collection variables.

I can successfully request a new access token and it updates the environment variables correctly.

However, when I run Get WhoAmI, I receive this error:

"type": "",
"title": "Unauthorized",
"status": 401,
"detail": "The access token is for another tenant"

I've tried both "Bearer Token" and "Inherit auth from parent" for Get WhoAmI's authorization type. WhoAmI's authorization is "Bearer Token" with the Token pointing to {{accesstoken}}. {{accesstoken}} is matching the token received from "Request a New Access Token and Refresh Token".

Any ideas or additional information I can provide to help troubleshoot this issue?



  • Justin.B.253
    Justin.B.253 Posts: 50 🧭

    I use Inherit auth from parent for running all API calls in Postman. Under the Authorization for the folder that hold all your commands, are you using.

    Auth Type: Oath 2.0
    Grant Type: Authorization Code
    Check box for: Authorize Using browser
    Auth URL:
    Access Token URL:
    Client ID: From your Manage Extensibility OAuth 2.0 setup in D2L.
    Client Secret: From your Manage Extensibility OAuth 2.0 setup in D2L.
    Scope: I run a lot of apis so my Scope list is long and has to match what you have in D2L- content:modules:read content:toc:read core:*:* datasets:bds:read enrollment:orgunit:create enrollment:own_enrollment:read grades:gradeobjects:read,write grades:gradevalues:read organizations:organization:read orgunits:course:create quizzing:quizzes:read role:detail:read users:userdata:create
    State: something random
    Client Authentication: Send as Basic Auth header

    Then I click Get Token at bottom which runs the processes and grants you a token, add the token.

    Now under Current Token, you should see Token and a name, the long token ID number and Header Prefix: Bearer.

  • You can paste your token into a token decoder like and check which tenant id it's registered for. You can check that against the site you're trying to use it for.

  • Justin.B.253
    Justin.B.253 Posts: 50 🧭

    @Joseph.W.983 that is cool, I didn't know you could do that.

  • Randall.S.394
    Randall.S.394 Posts: 24 🧭

    When I was playing with Paul's videos, I set my scope up to be core:*:*

  • Jennifer.M.128
    Jennifer.M.128 Posts: 4 🌱
    edited March 4

    @Justin.B.253 Initially, I had Auth for WhoAmI as Bearer Token instead of Oath 2.0, Request a New Access Token as No Auth, and Get WhoAmI as Bearer Token or as Inherit (neither worked.)

    I set WhoAmI as Oath 2.0 and filled it out.

    When setting Request a New Access Token to Inherit, I receive the error

    "error": "unauthorized_client",
    "error_description": "Unexpected Authorization scheme of "Bearer"",
    "rfc6749_reference": "2.3.1,"

    Get WhoAmI returns the same error.

    For Authorization under WhoAmI I have:

    Auth Type: OAuth 2.0

    Add auth data to: Request Headers

    Token: used to populate {{accesstoken}} and {{refreshtoken}} environment variables

    Header Prefix: Bearer

    Auto-refresh token: ON

    Share Token: OFF

    Grant Type: authorization code

    Callback url: autofilled as; authorize using browser is checked (and logs in successfully)

    Auth URL:
    Access Token URL:

    Client ID: (matches Manage Extensibility OAuth 2.0 setup)

    Client secret: (Manage Extensibility OAuth 2.0 setup)

    Scope: core:*:* users:*:*

    State: (random number)

    Client Authentication: Send as Basic Auth Header


    Thank you! When I paste in the access token, it says "invalid signature". I have the algorithm set to RS256; is that correct/does it matter?
    The "azp" does match my client_id

  • Justin.B.253
    Justin.B.253 Posts: 50 🧭

    After logging into D2L, open a new tab and paste this into your browser -

    Replace your-org with yours obviously, do you get results? If you do, then something is still in incorrect in your Postman settings. I'd be happy to set up a Zoom call if you are interested. Send me an email:

  • Jennifer.M.128
    Jennifer.M.128 Posts: 4 🌱

    Thank you everyone for your help! I was able to get it to work. While I wasn't able to narrow down the exact cause of the problem, I know it had something to do with the way I set up the environment variables. (I started the course again in a fresh workspace.)