How to properly use the access token?


Ok, so I’ve studied how to be able to use the API when an app that I have allows me to get a user’s authorization code. I understand that I use that to get a user’s access token, which should grant me access on using Zoom’s API to get something like a user’s meetings for example. However, from what I’ve read, this token only lasts for about 1hr. What is the best way to handle that? Like, do I have to keep getting a new token everytime, or everytime it is called, to keep refreshing it over and over? Is there a way to verify it, and if it shows invalid, request a refresh? Also, is it good practice to save the refresh and access token on a DB, or should I request it every time? I am new to using Zoom’s API, so I would love to see suggestions.


This will be contingent on which Marketplace app type you are leveraging. For, example, if you are using Server-to-Server OAuth, which does not return a refresh token, you will have to just make another request if the access token is expired. So you keep getting a new token every time. Here are some helpful articles on Server-to-Server OAuth for your reference.

When to use Server-to-Server OAuth app and when to use OAuth app ?

Why use Server To Server OAuth?

On the other hand, if you are using OAuth, then you would use the refresh token to request new access tokens after the access token expire. To this point, you should have a strategy in place for rotating refresh Tokens as once a new access token is issued, that request immediately invalidates the previous refresh token.

There a many best practices you can consider when it comes to saving the refresh and access token on a DB. I should note when there are duplicate requests ‘OAuth/token’, a “Save Access token into Database” error message displays.

A suggested workflow for the refresh and access token on a DB is:

  1. Build a flag that indicates if the new access token is in process. (A flag can be DB data or cache)

  2. When the first request finds the access token is expired, then it tries to get the new access token.

  3. Meanwhile, you can set the value of the flag to true (the default value is false),

  4. Then the value is set to false after the access token is successfully retrieved, in the process, the other request needs to wait.

Please let me know if this helps or if you have any further questions.

Thank you so much for your reply. I have tried to setup a way to get an access token, but it comes back with an error everytime! The return uri appears to either be invalid or wrong? According to the error:

   reason: "Invalid request : Redirect URI mismatch.",
   error:  "invalid_grant"

I am not entirely sure what I am doing wrong. The return URI is one that I have in the safe list of my app, but it keeps returning that error. What could be issue with that?

That should be an easy fix, @rmjuarez12. You need to double-check that the redirect URL entered for your OAuth App matches the redirect URL used when making the Authorization request.

Redirect URL for OAuth

Step 1: Request user authorization

Oh wow, I should really learn how to read lol I missed that entirely, thank you so much. Ok, so for the flow from the Backend, should it be better to save the authorization code, or would it be better to get the access token immediately and just save the access and refresh token? Or better to save all 3? I just want to try to get an idea on what would be the best course of action.