Webmaster API returning 400 error "Origin and Referer request headers are both abscent/empty"

Alight Analytics 6 Reputation points

We have been making requests to the Webmaster API for many months now and just recently we've been receiving 400 errors stating "Origin and Referer request headers are both abscent/empty." I cannot find anything in the Webmaster API documentation that refers to this error or tells me what the "origin" and "referer" headers should be since we haven't been using them. I've tried using my app's registered URL as a referer, but I would get the error, "Could not extract anti-forgery token."

Copy of request and response below

< POST /webmasters/oauth/token HTTP/1.1
< Host: www.bing.com
< User-Agent: python-requests/2.22.0
< Accept-Encoding: gzip, deflate
< Accept: */*
< Connection: keep-alive
< referer: channelmix
< Content-Length: 964
< Content-Type: application/x-www-form-urlencoded
< client_id=xxxxxxxx&client_secret=xxxxxxxx&grant_type=refresh_token&refresh_token=xxxxxxxxx
> HTTP/1.1 400 Bad Request

> Content-Length: 45

> Vary: Cookie

> Content-Security-Policy: frame-ancestors 'self'

> X-Powered-By: ASP.NET


> Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version

> X-MSEdge-Ref: Ref A: 23B99E30D7754B7EBD964DE121B7779D Ref B: CHGEDGE1821 Ref C: 2022-01-21T22:21:25Z

> Date: Fri, 21 Jan 2022 22:21:24 GMT


Could not extract expected anti-forgery token

Microsoft Advertising API
Microsoft Advertising API
A Microsoft API that provides programmatic access to Microsoft Advertising to manage large campaigns or to integrate your marketing with other in-house systems.
382 questions
0 comments No comments
{count} vote

4 answers

Sort by: Most helpful
  1. Erika Wiedemann 1 Reputation point

    Since January 11th I've also started seeing this error, with no resolution. It's been running for many months without any changes on our side.
    I see msads has a new MFA banner here: https://learn.microsoft.com/en-us/advertising/guides/authentication-oauth?view=bingads-13

    However, I've been following https://learn.microsoft.com/en-us/bingwebmaster/oauth2 exactly as written with no luck.

    0 comments No comments

  2. Kyle Thompson 1 Reputation point

    This issue is still persisting on our side. Error when exchanging refresh token for Access token on missing origin in request header.

    I have also had no luck finding reference to this in the Webmaster Oauth Documentation.

    0 comments No comments

  3. alex sunny 1 Reputation point

    thanks for the awesome information.

    0 comments No comments

  4. Erika Wiedemann 1 Reputation point

    I've had total success since Feb 07, with no changes on my part. I am assuming something was fixed within Bing.

    0 comments No comments