Randomly receiving "Invalid access token" for Server-to-Server OAuth

Hi @MultiplayerSession I just wanted to reach out to you to confirm that I am working with Engineering to debug this issue. The index tolerance has been increased for your app so I shared the information you shared with me with the team so they can investigate this further. Thanks for your patience.

@david5 This message was probably intended to ping you instead of me:

That said, I’m also seeing the same behavior where the index parameter doesn’t appear to be taking effect using similar replication steps, although I’m placing the request parameters in the request body instead of the query string:

Request URL: https://zoom.us/oauth/token
Request body: grant_type=account_credentials&account_id=***&index=2
Response body: {"access_token":"***","token_type":"bearer","expires_in":3599,"scope":"dashboard_meetings:read:admin dashboard_webinars:read:admin meeting:read:admin meeting:write:admin user:read:admin webinar:read:admin webinar:write:admin"}

I’m trying to troubleshoot with Zoom Developer Support in ticket number #14947692.

Update (15 September 2022): The correct parameter name should be token_index.

Thanks for catching this up! I probably got confused @MultiplayerSession
Also thanks for sharing the ticket that you have open with support… I will take a look into that ticket and I will reply in that thread

@elisa.zoom ,

Any movement on this? I’ve seen the updates through the support ticket and other channels, but things still aren’t working any differently. Any additional information needed from me to help debug the issue?

DAvid

Hi @david5
I do not have one at the moment, but I am actively looking into this

For posterity and anyone else who happens to run across this thread while scratching their head about how Server-to-Server OAuth works:

  1. Requesting a new Server-to-Server OAuth token invalidates the previous one.
  2. Zoom can increase the “index” count for your account, allowing you to request different tokens with different indexes that do not interfere with each other (i.e. requesting a token for index 1 doesn’t invalidate the token requested for index 2).
  3. The token index is specified in the call to https://zoom.us/oauth/token by passing the token_index query parameter (https://zoom.us/oauth/token?token_index=2)

This should allow folks to build out a background oauth token rotation strategy where the token is updated in a central place, using a new index value (e.g. database, AWS SSM or secrets manager, etc.) allowing applications to continue using the previous token until they can read the new value from the central location.

5 Likes

Hello @elisa.zoom ,

We are having the same issues, can you help please?
I created this ticket: https://support.zoom.us/hc/en-us/requests/16360848

Hello,
I am having the same issue and would the like the index for our server to server app to be increased to 6.
I had opened this ticket https://support.zoom.us/hc/en-us/requests/16423969 but was asked to post to the dev forum first. Please let me know how long this will take to resolve.
Also wanted to know if there is limit to the number of server to server oauth apps I can have on our account?
Sumit

I can’t help with increasing your limit, but I can say that the index is the limit to the number of oauth tokens you can have active at one time. We had to build a token rotation service that would flip between two indexes. We allocated some indexes to our dev environment and some to our prod.

Developer Support limited me to 3 concurrent index values. If you need more than that, my recommendation is to create multiple identical Server-to-Server OAuth applications corresponding to the number of concurrent tokens you need (each application represents 1 index value).

I was hoping to get 2 tokens per environment (3 environments). I thought I read in this post that someone’s index tolerance was increased to 5.
@david5 , can you share some details on the service you created?

@onemancat We run in AWS, so we wrote an AWS lambda function that is triggered on a schedule (every 50 minutes). The function updates a secret stored in AWS Secrets Manager. We store the oauth token, the index used to generate the token and the timestamp the token was generated. The Lambda function increments the index (circularly within a range), generates a new token and updates Secrets Manager.

The services that need to make Zoom API calls look up the Secrets Manager value and use the token within to make the API calls. They also use the timestamp value to determine when they should go back to Secrets Manager to look for a new token.

Thanks so much. That makes sense.

Hello @elisa.zoom ,
Will you or someone else be able to help me with my request?
Sumit
The request post above:
Hello,
I am having the same issue and would the like the index for our server to server app to be increased to 6.
I had opened this ticket https://support.zoom.us/hc/en-us/requests/16423969 but was asked to post to the dev forum first. Please let me know how long this will take to resolve.
Also wanted to know if there is limit to the number of server to server oauth apps I can have on our account?
Sumit

Hi @onemancat
Normally our support team will help you with this issue, but I am happy to help.
There is no limit to the number of server to server OAuth apps that you can have in your account.

Hi @elisa.zoom!

I opened request https://support.zoom.us/hc/en-us/requests/17290984 and they closed it on my, redirecting me to https://devforum.zoom.us.

Can you help me?

kind regards,
Daniel

I am taking a look into this @ziegenberg

Hello @elisa.zoom ,

I am having the same issue and would like the index for our server to server app to be increased to 2 atleast.
I had opened this ticket- https://support.zoom.us/hc/en-us/requests/17415534 but was asked to post to the dev forum .

Will you or someone else be able to help me with my request?

Hello @elisa.zoom
We have converted our JWT app to Server-to-server Oauth and are now experiencing random “Invalid access token” errors even though the token is definitely not expired. Our app runs on multiple servers behind a load balancer. We’ve tried keeping the token in a shared Redis db (accessible by all servers) or multiple access tokens stored locally on each server, but in either case we still get random “invalid access token” error messages.

Hi @kfrymire
Thanks for reaching out to us and welcome to our community!
Can you please make sure you are not generating more than 1 token at the same time? As of right now the expected behavior is that when you generate a new token, the previous one will be invalidated and you will be getting the “invalid access token” error