Intermittent Production Issues starting to occur with oauth token refresh

Description
Since around March 20, 2021, we’ve started receiving the below error intermittently when refreshing an access token. On a subsequent retry with the same headers, parameters, etc., the error doesn’t occur and we receive the new access token and refresh token accordingly.

Error
{“reason”:“Invalid client_id or client_secret”,“error”:“invalid_client”}

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth

Which Endpoint/s?
https://zoom.us/oauth/token?grant_type=refresh_token&refresh_token=

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. Request a refresh access token
  2. Error Occurs
  3. A subsequent attempt a minute later may work, with the exact same data

This seems to happen less than .1% of the time.

Additional context
We’ve been integrated with Zoom in production for about a year now with over 150 clients without any issues and our application logic hasn’t changed.

Thanks for any help!

Hey @s27_zoom,

Thanks for reaching out about this.

While I understand this is happening very rarely, I should note that refresh token errors can occur for a few different reasons. Is it possible either of these could be occurring in the instances where you’re seeing this? (it sounds like it’s likely not the first since you’re doing this successfully most of the time)

  1. If a new access token is generated, both the previous access token and refresh token will become invalid. Make sure you’re updating each of these tokens each time you request a new access token.
  2. Another situation that can arise is if multiple requests are sent using the same refresh token within a short amount of time, a race condition may prevent all requests from going through successfully. In this case, if you are not able to update the refresh token at your end (this generally happens when you make multiple requests in a short amount of time), a recommended workaround would be to reauthorize the app.
  3. If a user uninstalls the app by revoking the authentication , the refresh token will become invalid. This may not be a scenario in your case.

Let me know if you think any of these could be the case.

Thanks!
Will