API Endpoint(s) and/or Zoom API Event(s)
POST https://zoom.us/oauth/token (with grant_type=refresh_token)
Description
I am using a General OAuth App (User-authorized OAuth 2.0) for a single service account.
My application architecture is as follows:
-
Secrets Manager stores client_id, client_secret, and the current refresh_token.
-
We do not store the access_token (it expires in 1 hour).
-
A main CRUD Lambda reads the refresh_token from Secrets Manager, calls the refresh endpoint to get a new access_token, and uses it for API calls (create/delete/end meeting).
-
A separate daily rotator Lambda runs at 3 AM to proactively refresh and update the refresh_token in Secrets Manager.
I have observed through empirical testing that the same refresh token can be successfully used multiple times over multiple days to obtain new access tokens.
Question:
According to the current Zoom behavior (2026), when I successfully call the refresh token endpoint:
-
Is the old refresh token immediately invalidated, or can it still be used for some time?
-
What is the official recommended best practice? Should we always store and use the new refresh token returned in the response on every refresh, or is it acceptable to keep using the same refresh token for a period of time?
Error?
No specific error at the moment. This is more of a clarification / best practice question to make our token management robust.