You can’t shouldn’t be doing it “client side” ajax is a method to perform requests client side. And you are leaking users secrets/refresh tokens. A refresh token should be treated as securely as a client secret. Which is why the implicit auth method (for client side stuff) doesn’t even return a refresh.
Your example code leaks your Client Secret as well, which is against the rules of using a ClientID for every API.
- Client secrets are equivalent to a password for your application and must be kept confidential. Never expose it to users, even in an obscured form.
But you seem to be using jQuery ajax from your use of $
http://api.jquery.com/jquery.ajax/
You need a data key which contains the data you wish to post.
So, since you seem to be working pure client side, you should be using
Which returns an access_token only and no refresh