Randomly receiving "Invalid access token" for Server-to-Server OAuth

@elisa.zoom ,

Any movement on this? I’ve seen the updates through the support ticket and other channels, but things still aren’t working any differently. Any additional information needed from me to help debug the issue?

DAvid

Hi @david5
I do not have one at the moment, but I am actively looking into this

For posterity and anyone else who happens to run across this thread while scratching their head about how Server-to-Server OAuth works:

  1. Requesting a new Server-to-Server OAuth token invalidates the previous one.
  2. Zoom can increase the “index” count for your account, allowing you to request different tokens with different indexes that do not interfere with each other (i.e. requesting a token for index 1 doesn’t invalidate the token requested for index 2).
  3. The token index is specified in the call to https://zoom.us/oauth/token by passing the token_index query parameter (https://zoom.us/oauth/token?token_index=2)

This should allow folks to build out a background oauth token rotation strategy where the token is updated in a central place, using a new index value (e.g. database, AWS SSM or secrets manager, etc.) allowing applications to continue using the previous token until they can read the new value from the central location.

5 Likes

Hello @elisa.zoom ,

We are having the same issues, can you help please?
I created this ticket: https://support.zoom.us/hc/en-us/requests/16360848

Hello,
I am having the same issue and would the like the index for our server to server app to be increased to 6.
I had opened this ticket https://support.zoom.us/hc/en-us/requests/16423969 but was asked to post to the dev forum first. Please let me know how long this will take to resolve.
Also wanted to know if there is limit to the number of server to server oauth apps I can have on our account?
Sumit

I can’t help with increasing your limit, but I can say that the index is the limit to the number of oauth tokens you can have active at one time. We had to build a token rotation service that would flip between two indexes. We allocated some indexes to our dev environment and some to our prod.

Developer Support limited me to 3 concurrent index values. If you need more than that, my recommendation is to create multiple identical Server-to-Server OAuth applications corresponding to the number of concurrent tokens you need (each application represents 1 index value).

I was hoping to get 2 tokens per environment (3 environments). I thought I read in this post that someone’s index tolerance was increased to 5.
@david5 , can you share some details on the service you created?

@onemancat We run in AWS, so we wrote an AWS lambda function that is triggered on a schedule (every 50 minutes). The function updates a secret stored in AWS Secrets Manager. We store the oauth token, the index used to generate the token and the timestamp the token was generated. The Lambda function increments the index (circularly within a range), generates a new token and updates Secrets Manager.

The services that need to make Zoom API calls look up the Secrets Manager value and use the token within to make the API calls. They also use the timestamp value to determine when they should go back to Secrets Manager to look for a new token.

Thanks so much. That makes sense.

Hello @elisa.zoom ,
Will you or someone else be able to help me with my request?
Sumit
The request post above:
Hello,
I am having the same issue and would the like the index for our server to server app to be increased to 6.
I had opened this ticket https://support.zoom.us/hc/en-us/requests/16423969 but was asked to post to the dev forum first. Please let me know how long this will take to resolve.
Also wanted to know if there is limit to the number of server to server oauth apps I can have on our account?
Sumit

Hi @onemancat
Normally our support team will help you with this issue, but I am happy to help.
There is no limit to the number of server to server OAuth apps that you can have in your account.

Hi @elisa.zoom!

I opened request https://support.zoom.us/hc/en-us/requests/17290984 and they closed it on my, redirecting me to https://devforum.zoom.us.

Can you help me?

kind regards,
Daniel

I am taking a look into this @ziegenberg

Hello @elisa.zoom ,

I am having the same issue and would like the index for our server to server app to be increased to 2 atleast.
I had opened this ticket- https://support.zoom.us/hc/en-us/requests/17415534 but was asked to post to the dev forum .

Will you or someone else be able to help me with my request?

Hello @elisa.zoom
We have converted our JWT app to Server-to-server Oauth and are now experiencing random “Invalid access token” errors even though the token is definitely not expired. Our app runs on multiple servers behind a load balancer. We’ve tried keeping the token in a shared Redis db (accessible by all servers) or multiple access tokens stored locally on each server, but in either case we still get random “invalid access token” error messages.

Hi @kfrymire
Thanks for reaching out to us and welcome to our community!
Can you please make sure you are not generating more than 1 token at the same time? As of right now the expected behavior is that when you generate a new token, the previous one will be invalidated and you will be getting the “invalid access token” error

Recent Zoom Developer Newsletter (July 2023) says the issue does not exist anymore, so when generating a new access_token, it does not invalidates older tokens that are still not expired.

Here is then quote from the newsletter:

Multi-Access Tokens Available in Server-to-Server OAuth

The new Multiple Access Tokens feature allows you to generate multiple tokens for a server to server OAuth app without invalidating the previous tokens. This means you no longer need to use the “index” parameter in your query to generate multiple tokens. If you are using the index query parameter, it will be ignored, but your token will still be generated.

Has the “Multi-Access Tokens Available in Server-to-Server OAuth” feature been implemented in ZoomGov?

I am still getting the “invalid access token” with the ZoomGov api.

Thanks

Hi @sgahaghan
I am not aware if this has been implemented for Zoom for Gov, but let me look into this and will get back to you