Sorry to be a pain about this (and sorry to start a new thread, but since you can’t reply to a thread on which you’re already the last post and you can’t delete that post, there’s little choice). but I’m now up to the point where I have an OAuth2 user access token and need to query their profile mounts collection.
The request I’m sending isn’t returning any data though, and I’m unsure why.
$url = https://us.api.blizzard.com/profile/user/wow/collections/mounts?region=us&namespace=profile-us&locale=en_US; // example URL
$token = <string of 34 characters that the OAuth server sent me that looks legit, I guess?>;
curl_setopt($curl_handle, CURLOPT_URL, $url);
curl_setopt($curl_handle, CURLOPT_USERPWD, $ClientID . ':' . $ClientSecret);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_handle, CURLOPT_HTTPHEADER, ["Authorization: Bearer {$token}"]);
$response = curl_exec($curl_handle);
$status = curl_getinfo($curl_handle, CURLINFO_HTTP_CODE);
The response is empty and the status is 403. 
Thanks for any help!
Make sure what you have is actually the access_token, what you get from the OAuth2 server in the redirect_uri callback is only the authroization_code.
The function I showed you is used to exchange this authorization_code to the actual access_token using your client_id and client_secret as HTTP basic auth.
In the sample code you provided you are using HTTP basic auth. If you already have the access_token you don’t use basic auth anymore, just the access_token in a bearer header or as part of the queryString.
Also you don’t pass the region as a queryString parameter, it is actually a subdomain.
$url = "https://us.api.blizzard.com/profile/user/wow/collections/mounts?namespace=profile-us&locale=en_US";
$token = '<USE access token NOT authorization code>';
curl_setopt($curl_handle, CURLOPT_URL, $url);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_handle, CURLOPT_HTTPHEADER, ["Authorization: Bearer $token"]);
$response = curl_exec($curl_handle);
$status = curl_getinfo($curl_handle, CURLINFO_HTTP_CODE);
Thanks Schiller!
Well, that’s embarrassing. The auth code and access token parts had looked like they were working fine, so when I added the collection query and it didn’t work I assumed it had to be that. It turns out I accidentally introduced a bug into the auth code part at the same time and hadn’t even noticed. One fixed, it all works.
Thanks again for all your help! It’s been invaluable. 