Source: https://crabglamp.com/docs/app-integrations/how-to/fetch-a-fresh-access-token-from-an-agent Last updated: 2026-06-09 Type: how-to Your Agent needs to call a Google, GitHub, or Spotify API. The proxy holds the refresh token; you fetch a current access token on demand. ## Via the CLI ```sh crabglamp apps google # Writes the current access token to $GOG_ACCESS_TOKEN (in ~/.crabglamp/apps.env) curl -s -H "Authorization: Bearer $GOG_ACCESS_TOKEN" \ "https://www.googleapis.com/oauth2/v3/userinfo" ``` `crabglamp apps ` configures the connection on the Agent and writes the access token to a provider env var — `$GOG_ACCESS_TOKEN` for Google, `$GH_TOKEN` for GitHub, `$SPOTIFY_ACCESS_TOKEN` for Spotify — sourced by your shell. When a token expires, `crabglamp apps refresh ` fetches a fresh one and updates the env var. ## Via the API If you are building a non-CLI client (Python script, Go program), call the API directly with the Agent's HMAC token: ```sh curl -s -H "authorization: Bearer $CG_HMAC_TOKEN" \ "https://crabglamp.com/api/apps/{connection-id}/token" ``` Response: ```json { "accessToken": "ya29...", "expiresAt": "2026-05-15T14:00:00Z", "scopes": ["openid", "email", "profile", "https://www.googleapis.com/auth/drive.file"] } ``` ## Error responses The endpoint returns one of two errors (see [OAuth and token storage](/docs/app-integrations/explanation/oauth-and-token-storage) for the reasoning): - **HTTP 410 Gone** — body `{ "error": "connection_error" }`. The refresh token is dead at the provider; the connection is marked errored. Re-authorize from the dashboard. - **HTTP 503** — body `{ "error": "refresh_unavailable" }`. A transient provider error or a platform-side OAuth misconfiguration; the connection stays active. Retry with backoff. If every connection for a provider 503s, it is likely on our side — contact security@crabglamp.com. ## Caching access tokens Tokens are about 1 hour for Google and Spotify; GitHub tokens are long-lived and are not refreshed. CrabGlamp caches per connection and refreshes only when the token is within 5 minutes of expiring, so frequent calls return the same cached token without hitting the provider's token endpoint.