"Invalid Token!" error message when trying to refresh oauth token

Hope this helps someone, basically the problem is the refreshtoken is updated everytime a new access token is called. So you need to update both on your end. Access Token AND refresh token. Otherwise you will get refresh token invalid if you use the original refresh token.

Hey @greminders,

Thanks so much for jumping in and helping out—great context for our developers!

Best,
Will

Hope this helps others: different environments will invalidate the others’ refresh tokens. For example,

  1. user on dev server does oAuth workflow.
  2. user on staging server does oAuth with same account
  3. dev server user tries to use access token. it fails, so it tries refresh. Invalid token error.
  4. dev server now broken because staging server got the most recent access & refresh tokens.
  5. dev server re-authorizes. refreshes work, but now staging server is broken.
    …the cycle continues.

Take heart knowing on production this won’t happen because your users won’t be running oAuth transactions on your dev servers.

1 Like

Thanks for sharing your experience with our community @viddd :slight_smile:

Hi @will.zoom and @tommy - I had this problem due to using the same zoom account to test using two different of my own system’s user accounts. I.e. when user 2 linked the same zoom account as user 1, user 1 would still appear linked but the tokens would not work due to the problem described above. I wonder, is there any way to identify that two sets of auth tokens come from the same zoom account, so that I can “unlink” the first user when a second links the same zoom account, without requesting access to the “user” scope? At the moment I am just asking for the ability to create meetings, and would rather keep it that way rather than risk scaring users with demands for access to their full zoom profile.

Hey @budgetcriticism,

Good question. One option could be to grab the access token when a user installs the app. You can JWT decode this to determine which user/account it belongs to. You can see my post here for more details on this approach (different topic, but decoding the access token is still relevant):

Let me know if this helps,
Will

Hi @will.zoom. Thank you very much for your reply. I’d actually already seen a post about jwt-decoding the auth token, and extracting the user ID, but I wasn’t sure which claim / key in the JWT to use. I have since decided it must be the “uid” given that I can see the same string used to represent me elsewhere in the zoom system, but seeing as it’s not documented anywhere I am not sure - also I noticed today @tommy in a different post explaining that seeing as this is an unofficial API it can unexpectedly change. So, I’ll need to think about how to handle that! I’ll probably just have to set-up monitoring to catch a change to the data in the token and respond appropriately and / or respond to failing API requests by retrying once and then un-linking the user’s account and sending an apologetic email (or something). Unless you can correct me about the API being unstable? It would be great, one-day, if you could put that data in the token on an official basis, so we could rely on it properly.

Hey @budgetcriticism,

Thank you for the feedback, and happy to clarify. Just to make sure we’re on the same page, when you talk about an API that could change in the future, are you referring to the method of decoding a JWT token or a specific endpoint? Our OAuth endpoint should be pretty stable.

Let me know!
Will

Hi @will.zoom - sorry for using unclear language. I’m referring to the method of using jwt-decode to extract the user ID from the oauth access token.

Hi @budgetcriticism,

Thanks for clarifying—we don’t have any plans to change how OAuth access tokens are encoded. That said, this is a workaround of sorts, and can appreciate the desire to have a more efficient way of handling this. I’m happy to share this feedback internally.

Thanks,
Will

Thanks, @will.zoom . It would just be useful to know this is reliable in the long-term. But, also good to know you don’t plan to change it.

Hi @budgetcriticism,

You can keep an eye on our Changelog to keep track of any changes to Zoom APIs, but correct—no plans to change this.

Thanks,
Will

Brilliant, thank you for that. I have subscribed (and noticed the RSS feeds, of which I approve). Would you be able to confirm please that the “uid” key is the one I need to detect that two oauth tokens were generated using the same zoom login?

Hey @budgetcriticism,

The UID refers to the User ID of the User who installed the app, and the AUD refers to the account of the user who installed the app. Does this help?

Thanks,
Will

1 Like

Yes, that’s helpful. Thank you.

No problem, glad I could help @budgetcriticism!

Best,
Will

Hey @will.zoom,
I have the same issue with refreshing token API
when I am using the POST method it gives me an invalid token error and when I am using the GET method so it should give the below response can you tell me is the right response or not if not so where is my mistake …

object(GuzzleHttp\Psr7\Stream)#39 (7) { [“stream”:“GuzzleHttp\Psr7\Stream”:private]=> resource(62) of type (stream) [“size”:“GuzzleHttp\Psr7\Stream”:private]=> NULL [“seekable”:“GuzzleHttp\Psr7\Stream”:private]=> bool(true) [“readable”:“GuzzleHttp\Psr7\Stream”:private]=> bool(true) [“writable”:“GuzzleHttp\Psr7\Stream”:private]=> bool(true) [“uri”:“GuzzleHttp\Psr7\Stream”:private]=> string(10) “php://temp” [“customMetadata”:“GuzzleHttp\Psr7\Stream”:private]=> array(0) { } }

1 Like

Hey @nilkanth,

Thank you for reaching out to the Zoom Developer Forum. Please create a separate forum post for this issue including the request body, endpoint and response so that we can focus on all the information there. We’ll be sure to assist you ASAP in that new post.

Thanks,
Max

Did anyone get this problem resolved? I’m experiencing the same issue, where I store the tokens into the db after authorization, then create meetings by retrieving token from the db, hours later, the token expired, so I use refresh_token to refresh the token, but it returns 401 invalid token all the time and here’s the error

Hi @ryanyewtf,

This sounds like it could be an issue with the refresh token you’re using. Can you ensure you’re using the refresh token that was returned when you originally retrieved your access_token? Note that the purpose of a refresh token is to retrieve a new access_token and refresh_token pair at the same time. You can read more about this flow here as well.

Thanks,
Will