From reading various documents it seems like authorization is optionally required by oauth2 providers for refresh token requests. I’m working with the FitBit API that appears to require authorization. I’m following the instructions here for refreshing a token with requests-oauthlib: https://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html#refreshing-tokens Some setup code (not what I am using, but you get the idea: However, with this call I’m getting: