So you are passing the clientID as XXX?
Shouldn’t it be
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Client-ID: ' . $extensionID,
'Authorization: Bearer ' . $accessToken,
));
Also note that clientID’s are essentially public so you don’t need to worry about redacting them
And $clientId and $extensionID are the same value?