Questions Regarding OAuth Tokens

I am fairly new to the whole authentication/authorization mechanism with OAuth APIs. The documentation says that refresh tokens are valid for 15 years and I don’t see a way to revoke them which makes me wonder about the security implications.

  1. Is it possible to have more than one valid refresh token or does any subsequent generated token invalidate all previous?

  2. What protections prevent misuse of a compromised refresh token if it doesn’t end up getting used by the application?

  3. I believe the documentation also said that refresh tokens must be used for all subsequent access token requests, but what happens in the case where the refresh token is lost or you don’t have secured persistent memory? Would you go through the whole authorization process again?

Hey @FacelessPhoenix

Thanks for posting on the Zoom Devforum! I am still learning, but I will try my best to help answer your question. :slightly_smiling_face:

Checkout this related thread that may have the answer you are looking for:

If this thread did not help, please let us know by replying back here and someone from the Developer Relations team will get back to you shortly.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.