Cannot renew access and refresh token (invalid_grant)

API Endpoint(s) and/or Zoom API Event(s)

https://zoom.us/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI

Description

We keep on receiving the error message everytime our app attempts to renew the refresh token. We’ve been receiving the same issue lately. Usually when we encounter this issue, we just reauthorize the app as a workaround and the problem is solved. But we started encountering problems with reauthorizing the app as well. When we “Add” our app in Activation, it redirects us to a wrong landing page in our system (there is no information yet if this happens before or after redirection for OAuth) . We also use tried using the “Add URL” but the same thing happens.

Error?
1. Everytime our system renew our token we get this error {“reason”:“Invalid Token!”,“error”:“invalid_grant”}
2. We reauthorize app but fails.

How To Reproduce
Steps to reproduce the behavior:
*1. https://api.zoom.us//oauth/token?grant_type=refresh_token&refresh_token=REFRESH_TOKEN&client_id=CLIENT_ID&client_secret=CLIENT_SECRET *
2. OAuth
3. Access and refresh token not renewed in the database. Redirect to our system landing page(not correct) during/after the API request.

Hi @housing_ring, it seems to me you are requesting a new access token instead of using the refresh token to request the next access token. You should ideally not be required to reauthorize the app to gain the next access token.

It looks like you are passing a request to the /oauth/token endpoint using the client ID and client secret as query parameters, but this should be sent as an Authorization header rather than as a query parameter.

Hello Michael,

it seems to me you are requesting a new access token instead of using the refresh token to request the next access token.

Yes, you’re right. The reason we performed this method was that we cannot request a new token using our refresh token. We always get the invalid_grant error.

It looks like you are passing a request to the /oauth/token endpoint using the client ID and client secret as query parameters, but this should be sent as an Authorization header rather than as a query parameter.

Sorry, there was a slight mix-up on this part. The link indicated on Step 1 was the link we got from the reauthorization button (“Add” button).
In regards to what you said, yes, we passed the client id and client secret as an Authorization header just as what the documentation says.

Any other idea what could be the reason for this?

Thank you,

Ring

Hello @michael.zoom ,

We also store our tokens in our database. And we are aware that refresh tokens last for 15 years but how come we get “Invalid_token”, “Invalid_grant” errors. Any idea?

Regards,

Ring

We had a series of tests in our system and noticed that there was an inconsistency when renewing a token. Sometimes it is successful and sometimes it also returns an “Invalid_grant” error even thought we use the old refresh token strored in our database. Usually, error happens when token is renewed after days (let’s say after a week). Do you have any idea on what’s the cause or maybe how to prevent this in the future? If you need logs from our system for analysis, please let me know.

Regards,

Ring

1 Like

I am also having inconsistency issues renewing tokens (we store the new refresh and access token after every request ) and notice these 400s after a while after token has been created.