How do we stop using refresh_token in query parameters?

We got this email:

As a part of our continuing efforts to improve the security of Zoom OAuth App Types using Authorization flow, we are removing the ability to set the access tokens, refresh tokens and revoke tokens in the URL query parameters. This change will take effect on February 14th, 2023.

It is strongly recommended that you update your API calls to set the token values in the Authorization header and not the HTTP query parameters. Failure to do so will result in rejected API calls and a reduced functionality for your application.

You can read more about the change on the FAQ and how to do OAuth via the Authorization header.

And you do clearly state there “, refresh tokens and revoke tokens”.

But the " OAuth via the Authorization header" link goes straight to which shows the exact thing you are apparently removing.

And only talks of access_token.

So how do we comply with your new policy?

Hi @Delenta ,

Those values should be sent in the request body as opposed to the request header, but I see the confusion in our docs.

Here it is in our public workspace: Postman

Try it out and let me know if it is clearer. I will make a request to revise our docs :slight_smile:

1 Like

Ok thanks, a follow question as well, since I noticed you put grant_type in body, if I call like:


Does that mean that all of those, including code and redirect_uri, need to be request body params; in other words you are actually disabling all query parameter passed arguments?

By looking at the actual example on the postman it seems yes, everything should use post fields now

1 Like

Happy to help! Take care!

This topic was automatically closed 368 days after the last reply. New replies are no longer allowed.