I have an app, that stores refreshToken and accessToken and I only refresh when a token is expired while user is performing an action and then i store new token back.
In the recent test, I authorized my app 2 days ago, used it once and then didn’t touch it again. (means no activity in zoom)
Then after 2-3 days when I tried to use my app and create a request to refresh token I received error that my token is expired. Which is beyond me. Because Its not the case where a new token is generated. Only I authorize my app and I haven’t touched it. as you stated that refreshToken have 15 years of expiry I highly doubt that. In case you want to investigate further, I can provide my zoom account that was authorized for the app I developed. And check the logs against it that either the request to refresh token was generated or the refreshToken was invalid itself.
Here is my code in Javascript that refreshes the token. I am using “axios” so auth object creates Basic Auth token.
Thanks for providing these details—and happy to look into this for you. In order to check on this, can you email us the following details to developersupport@zoom.us:
Can you confirm that you’re using the latest access_token and refresh_token? Please note that when you retrieve an access_token, a new refresh token is provided as well. Similarly, if you use a refresh token once, you will need to request a fresh one from your most recent request.
In other words, both the access token and refresh tokens are updated each time you retrieve them, so you need to make sure you’re using the latest.
Thank you for providing additional information. First, I would try using a Content-Type of application/json. I also decoded the refresh_token that you used and it didn’t seem to be valid. Where are you getting that refresh_token from and can you confirm that there are no issues introduced when copying and pasting the token?
But this is nonsense! The refresh tokens by definition should be long-lived so what’s the point in making them available for usage only once? The refresh token is valid for 15 years but it can be used only once in this period and then must be replaced by a new one. What’s the point of the refresh token then? To use it once in 15 years? Can anybody explain to me this nonsense design?
To clarify, the purpose of the refresh token is to request a new access token. Although the refresh token expires after 15 years, it becomes invalid after it is used to request a new access token. You will receive a new refresh token pair and an access token once you use the old refresh token. You will have to update these old values with new ones. These details are covered here as well.