Invalid access token in Server-Server OAuth

We’re migrating from JWT to the Server-Server OAuth application. And we see the “invalid access token” error for some of our requests:
Error response: {"code":124,"message":"Invalid access token."}

I can reproduce it:

Generate token:

curl --location --request POST '' \
--header 'Authorization: Basic XXX' 

The answer is

"access_token": "XXXX",
"token_type": "bearer",
"expires_in": 3599,
"scope": "user:write:admin dashboard_zr:read:admin dashboard_im:read:admin user:read:admin information_barriers:write:admin zoom_events_basic:read:admin recording:write:admin dashboard_home:read:admin report:master report:read:admin dashboard_crc:read:admin zoom_events_sessions:read:admin zoom_events_reports:read:admin user:master meeting:master dashboard:master dashboard_webinars:read:admin meeting:read:admin zoom_events_basic:write:admin zoom_events_registrants:read:admin dashboard_meetings:read:admin recording:read:admin meeting:write:admin information_barriers:write:master"

Then I create a Zoom meeting:

curl --location '' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer XXXX' \
--data '{
"topic": "Meeting Dev #1",
"type": "2",
"settings": {
"auto_recording": "cloud"

I received such answer:

"code": 124,
"message": "Invalid access token."


x-zm-trackingid v=2.0;clid=aw1;rid=WEB_8d462191ab9544f49bc68bbbfe9af410
CF-RAY 7d6418332ff1ea4b-DFW

I can receive an access token, then create a meeting but when I try to remove the meeting I receive this error again. So there is no 100% when the access token doesn’t work at all.
And all requests are done during the same couple of seconds so it’s an expiration issue.

We have many instances of our service and there are many requests on each instance. Each request generates a new access token. Can it be a problem?

Hi @maksymhryhoriev
Thanks for reaching out to the Zoom Developer Forum and welcome to our community, I am happy to help here!
As of right now, the expected behavior when using Server to Server OAuth app, the creation of a new token will invalidate the previous one. So please make sure you are using the most recent token when making API calls so you dont run into this issue.


We have many stateless instances of our service which owns Zoom integration. Now we have to add a common data store + distributive lock. Are there any other options to avoid it?

We will be releasing a feature soon where you will be able to generate access tokens without invalidating the previous one…

That’s great news. Do you have ETA for it?

Hi @maksymhryhoriev
It is live now.
You should be able to request multiple tokens and the request of a new one won’t invalidate the previous one

1 Like

Wow, that was quick. Thank you :slight_smile:
I have one more question. Can we generate a new token for each request? Or it should be one token per service instance?

Hi ! yes this feature was released over the weekend :slight_smile:
you can generate as many tokens as you want, so it would be up to what works best for you. I think I would do it per service instance so you are not generating tokens per request

Hi @elisa.zoom

Do I need to pass some special parameter to /oauth/token endpoint to make sure other tokens are not invalidated? I can see that change was released 20 days ago and yet I have been experiencing that issue last week.

Hi @bartosz.blimke
You do not need to pass any special parameter when making the request.

Hi Elisa,
I would like to know if there’s any link related to this feature release?

Obviously this multiple access_token is already functioning, but i need to provide some kind of official release note or something to my superior.

Did Zoom mentioned anywhere regarding this ‘live’ announcement?

Hi @niceperson404

You can see it is documented right now

And there was also an announcement in the Dev Forum

Hope this helps