Concurrency issue in Server to server OAUTH APP token gets expired

Hi As JWT APP is getting deprecated we are migrating to Server to server OAuth APP

Sometimes randomly we come across an issue

124- Invalid access token during our API calls

it may be due to concurrent API calls as multiple API calls getting hit simultaneously so token is getting invalid
i have read about some articles we need to increase token_index of our APP which can be used in API

What is the max limit count for token_index for OAUTH token API ?
Who should we contact to increase our token_index limit?

Please send me some documentation of how this token_index works in OAUTH token API and how it should be implemented.

or is there another workaround for this issue?

Please reply urgently

Hi @alroya
Thanks for reaching out to the Zoom Developer Forum, I am happy to help here!
This invalid access token issue you are seeing could be due to the concurrent API calls that you are generating; what I mean by this is that when you generate a new access token, the previous one will get invalidated.
A workaround for this issue is increasing your token_index tolerance or also creating different apps for different purposes.

Hope this helps,

Hi @elisa.zoom
What is the max value of token_index tolerance?
Who should i contact to increase token_index tolerance of my application?

Can you please provide me with some documentation regarding this token_index tolerance implementation?

Hi @alroya
You will have to reach out to our support team here:

And they will help you with this.
I am not aware of the max value of the token_index tolerance but support will be able to provide you with that information.

Can anyone help with max value of the token_index tolerance for the OAUTH APP?
Alroy Alvares

In my case, I was limited to 3 token_index values (but testing still only accepted the default value of 1 for that parameter, so no impact from working with support), which wasn’t enough to cover two environments anyway, so I ended up creating multiple identical applications. In theory, you can negotiate for higher limits if you have what they called “a genuine business impacting use case” to counter the “higher security risk of having more index token [values]”.

Hi @MultiplayerSession
Thanks for sharing that with the community.
I am just curious about your case, where you can not use the token_index … I am happy to take a look into this for you.
If you have a support ticket number that you could share with me or I am happy to troubleshoot it

Hi @elisa.zoom,

My ticket number is #16998355 . Please check this out also

Alroy Alvares

Hi @MultiplayerSession

Thank you for your help,

if there are multiple User how will it work if oauth token is getting expired for eg
One user is creating Zoom meeting via API and other is deleting another zoom meeting at same time then the firt token will get invalidated.

JWT app was not having this issue. so this migration to server to serve oauth is having this drawback

Alroy Alvares

I will take a look into this @alroya

@alroya You have two valid (from Zoom’s perspective) tokens simultaneously (either via separate token_index values or different applications), but only one of them is in active use by your application at a given time. If you have a shared database, it can decide which one is in active use. You renew and perform maintenance on the token that is inactive, then swap it into active use for your application. Other processes can continue using the previous active token because it’s still valid from Zoom’s perspective, so they don’t need to notice the new token immediately. I’ve written more about this concept of a key rotation strategy in other threads.

@elisa.zoom I was getting a HTTP 400 response code with the body {"reason":"Invalid request : Maximum group number limit exceeded","error":"invalid_request"} whenever I raised the token_index above 0, but I’d invested 2 months into support ticket #14947692 and decided it was no longer worth the effort to troubleshoot further when anyone can just create multiple duplicate applications without Zoom’s prior approval (which is what the first backend engineer’s reply to that ticket recommended doing anyway) for functionality that should be available by default. Don’t worry about it; we needed 4 valid tokens anyway to share across 2 environments, and I don’t anticipate switching back to using token_index and coming up with a persuasive “genuine business impacting use case” at this point to make that happen.

Sorry to hear that Chris, I will take a look just to understand what happened and I will communicate back with you. Please let me know if there is anything else I could do for you

I am also having the same problem, please help. Support ticket #17239044