Hope this helps others: different environments will invalidate the others’ refresh tokens. For example,
- user on dev server does oAuth workflow.
- user on staging server does oAuth with same account
- dev server user tries to use access token. it fails, so it tries refresh. Invalid token error.
- dev server now broken because staging server got the most recent access & refresh tokens.
- dev server re-authorizes. refreshes work, but now staging server is broken.
…the cycle continues.
Take heart knowing on production this won’t happen because your users won’t be running oAuth transactions on your dev servers.