Oauth access_token: Error while substituting the templates

Hi All,

In a custom app with Oauth, during onAppInstall event I am trying to make a POST request call to a third party API with Basic Auth for which I have to use the Oauth Access Token as username and X as password.

Here is the code below:

$request.post('https://thirdparty.com', {
          headers: {
            Authorization : `Basic <%= encode(access_token + ':X') %>`
          body: JSON.stringify({
            "webhook_url": targetUrl,

I am getting this error:
{“status”:400,“headers”:{},“response”:“Error while substituting the templates”,“errorSource”:“APP”}

Have I made any mistake in:

Authorization : `Basic <%= encode(access_token + ':X') %>`

Is there any other way to access the Oauth access_token instead of using templating?


Hi Syed,

I also faced same issue, which is fixed by freshworks support specialists :slight_smile:

Hey Furqan,

Could you kindly tell me what was the fix given by the support specialists?

Is it something that we have to do in the code or is it something that the specialist perform in their end?



Unfortunately No, that is fixed by their side.

@velmurugan can u please look into this issue, that you had solved for me.


Hey @syedm,

You are facing this issue due to recent security updates in our platform, you can fix this issue by whitelisting the domain in the manifest.json file, you can follow the Whitelisted-Domains section in this link to learn how to whitelist your domain.

you can also check out more about our recent security updates in the below forum threads,

Hope this helps!

Stay Safe :slight_smile:

1 Like

Hi @velmurugan,

I am passing access token template in the headers only and
I have whitelisted the urls as well but I am getting the same issue.

Could you please check the code snipped and check if I have missed something?


Hi @syedm,

Could you please share your manifest.json file here and the third party URL’s which u r using in your app. So I can verify things by your side.


hey @syedm,

Sometimes Oauth apps might use a different redirect URL/domains to handle authentication services, could you please check in the networks tab if any other URL needs to be whitelisted?

also, if possible could you send the complete app for us to debug the issue? if you cannot share the app in the public, you can send it via the forum DM

Stay Safe :slight_smile:

@syedm Are you passing the isOAuth: true option to the request options?

Please post here for the wider community if you have fixed the issue.