Refresh Token expires after few hours when ever we need to get Access Token

I have created an OAuth App using a free account, I am able to generate Meeting ID using Access Token, but my Refresh Token gets expired after a few hours.

Error
Refresh Token becomes invalid.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth Issues

Steps to reproduce the behavior:

  1. Request URL / Headers (without credentials) / Body
  2. See error

Thanks
Fayaz

Hey @fayazvar.mobile,

To clarify, refresh tokens expire after 1 hour:

You will need to follow the guide linked above to refresh your token periodically.

Thanks,
Will

1 Like

Hey @will.zoom

So you mean I have to keep one service running for life long to refresh my “Access Token” using “Refresh Token” but practically I don’t think it is the case. I could use my “Refresh Token” to generate an “Access Token” even after 24 hours.

My actual problem is if I provide the wrong “Refresh Token” to get “Access Token” using the following link https://zoom.us/oauth/token?grant_type=refresh_token&refresh_token=
I am getting an error, but after that, if I use the correct “Refresh Token” that even does not return “Access Token”, it is like i lost my single chance, there should be some kind of limit how many times i can provide wrong “Refresh Token”.

Regards,
Fayaz

Hey @fayazvar.mobile,

It sounds like you may be using an outdated refresh token each time. Note that each time you request an access token, both a new token and refresh token are provided, and you’ll need to store these latest values each time.

Please try generating a new access_token and refresh_token, and then try the new refresh_token value. Make sure to use the new access and refresh tokens each refresh.

Let me know if this helps to clarify,
Will

1 Like

Hey @will.zoom,

Yes, whenever I get a new Access Token, the same time I am getting a new Refresh Token also, I save that Refresh Token in a Database, next time when I fetch a new Access Token, I use that stored Refresh Token. Problem is when i hit Zoom API to get new Access Token, if by mistake i sent wrong Refresh Token inside the request, i will get error message as “Access Denide”. i should have atleast 3 chances to send wrong Refresh Token to get new Access Token. If i send Wrong Refresh Token, actual Refresh Token from zoom side should not get invalid unless my 3 chances are over.

Thanks
Fayaz

Hey @fayazvar.mobile,

Thanks for your feedback. We are aware of this limitation of our OAuth flow where latest refresh token must always be used for the next refresh request. In some cases we provide a higher refresh tolerance for apps that have trouble keeping the most recent refresh token up to date. Please let us know why your system fails to update the refresh token each time and we will consider increasing your tolerance to 2 or 3.

Thanks,
Tommy

1 Like

Hey @tommy,

Concurrency issue, My API which gets “Access Token” then uses that “Access Token” to get new “Meeting ID” is being used by many users. Flow is

  1. Get Stored “Refresh Token” from Database.
  2. Use that “Refresh Token” to fetch the latest “Access Token” from Zoom Portal/ Zoom Hosted App.
  3. Store this new “Refresh Token” into the Database.

Any of these Processes can take time depends on internet speed. During the same time if another user starts the above process, So he is providing the wrong “Refesh Token” to the Zoom API. This creates a huge issue, because in real sense we don’t have now “Refresh Token”, so we can never get “Access Token”. We need to authorize the Zoom hosted App again, it becomes a manual process then.

Best Regards,
Fayaz

Hey @fayazvar.mobile,

Thanks for sharing this. Can I ask why two different Zoom users would be using the same access / refresh tokens though?

-Tommy

1 Like

Hey @tommy,

Because both will use our same Angular Web App. So we will have a single Account for our Angular Web App. In fact, one department will use one Zoom Account. All of them can use it together. BTW none of the users is directly a zoom user, Only our Angular Web App is a zoom user.

Thanks
Fayaz

Hey @fayazvar.mobile,

I see, so it is basically a service account. :slight_smile:

You have 2 options then:

  1. Refresh the Access Token when someone needs to use the app, and the token is expired.

  2. Always direct users to the authorize URL, so you can just get a new access token every time.

In the future, we will support multiple active OAuth tokens per user to enhance the flow where the user needs to OAuth on multiple devices.

Thanks,
Tommy

1 Like