I have Webhooks/Event subscription enabled. What happens if the AccessToken expires but my RefreshToken is valid, will I still receive Webhooks? I ask this because I only refresh my access token on demand when calling the API.
While testing, I have been noticing that my refresh token suddenly stops working. I suspect this is happening when the same user logs in on the browser on different machines… So my question is, under what circumstances is the refresh token revoked, if never, then why do I suddenly start getting 401’s when using my refresh token?
Any further information on access tokens would be beneficial.
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth
Yes, if a user logins in on a different device, the OAuth flow basically restarts, invalidating the current OAuth access and refresh tokens you have stored. You will need to get the access_token again upon new authorization and update your save tokens with the new tokens.
@tommy Question on the comment “Yes, if a user logins in on a different device,” what defines device? If simple OAuth is used, how does it even know what device it is? Not using Webhooks/Event subscriptions so maybe that comment doesn’t apply.
We’ve gotten a few 401s trying to refresh tokens so I’m poking around looking for answers. I know if we failed to save a prior refresh token that will happen but I haven’t found any clues that we are losing a refresh token.
Basically if a user that has already authorized your app, and you have received their tokens, if they authorize again, by going to the install url, then you will receive new tokens, invalidating the prior ones.
So your app would need to handle that flow, updating the tokens on a new install for the same user.
It turns out that one of our admins had configured multiple instances of our app against the same Zoom app. Each instance of our app has a separate database. So a User auths in instance A of our app and everything is fine. Then the same user auths in instance B of our app. That also works fine but that gets tokens for the same user and zoom app and stores them in database B. Then later they try to use instance A again, that gets the old tokens out of database A and when they try to refresh, the error occurs.
I want a user to authenticate once on my application, and whoever they add in their team on my application should be able to perform actions (like webinar API calls). But the saved token expires when the other user signs in. You can think of it as a school admin authenticating zoom account and teachers or students added being able to create and add participants to webinar without having a zoom account.
Is there a workaround to this? Do you have any suggestion?
Welcome to the Developer Forum and thank you for writing us. Please note, if a user simultaneously accesses the App from a second device such as another computer, phone, etc., any other access_tokens will be invalidated. At the moment, this is expected behavior. In the future, we hope to support multiple active OAuth tokens per user to enhance the flow where the user needs to OAuth authenticate on multiple devices. Please kindly get the latest refresh token to get new access when this occurs.
