Question about OAuth refresh_token

I just want to be absolutely clear on how refresh_token works for the OAuth API.

The initial token for a user expires in 1 hour. However, the refresh_token lasts for 15 years.

Could I then just use that initial token, immediately generate a refresh_token, and then not have to worry about web-based token generation ever again? (15 years).

I was originally going to ask if there was a method to use the OAuth API without using any kind of Token. This is because not all server operations are driven by a user, so there will be times where the web browser authorization process could not be done, but I’d still like to access information about Meetings without any user context.

But if I can at least generate user refresh_tokens that last 15 years, I can just fake it. But is that going outside good OAuth design?


Which App Type (OAuth / Chatbot / JWT / Webhook)?

Which Endpoint/s?
Kinda all of them.

How To Reproduce (If applicable)

Screenshots (If applicable)

Additional context

Few things to consider:

  1. A refresh_token is only valid to get a new access_token. It cannot be used to make API calls itself.
  2. At the same time you recieve a new access_token, the JSON response also includes a new refresh_token.
  3. The existing (now old) refresh_token is invalidated when you use it to retrieve a new access_token.

Ideally, you should store the latest access_token, time it is granted, expiration, and refresh_token every time you either do an OAuth from scratch or refresh_token from the server. You can also combine the grant time + expiration time into one timestamp of when that access_token expires.

The very first time you use OAuth in your application, the flow should look like this:
(I have like an admin panel where I can re-start the Oauth process separate from the rest of the app)

  1. Initial OAuth authorization
  2. Get the “code” from the redirect back to your application
  3. Complete the “token” step by posting to Zoom with the aforementioned code.
  4. Store access_token, expiration timestamp and refresh_token somewhere.

On all requests to the API:

  1. Check expiration time of current access_token compared current time.
  2. If expired,
    a. use the refresh_token to get a new access_token. (POST to with refresh_token)
    b. Store the new access_token, expiration date and refresh token.
  3. Use latest stored access_token to make API call.
  4. Repeat for all API requests.
1 Like

oooo, powerful information. Though it did kill the fun of the 15 year access_token idea. However, with the refresh_token it appears the access_token can be updated serverside without having to use the web auth all the time.

Thanks tons samly!

1 Like

Hey @kmwill23,

Yep, you can refresh the access_token on server side whenever you choose.

Thanks @samly for your detailed solution!