Refresh Tokens are Always Invalid

Description
When I request a new access token (and refresh token) the refresh token is always invalid. The access token works perfectly fine.

I know that the refresh token changes after the first refresh but the first refresh always fails.

POST to https://zoom.us/oauth/token?grant_type=refresh_token&refresh_token=[[refresh_token]]

Error
HTTP/1.1 401 Unauthorized
Cache-Control: no-store
Connection: close
Date: Fri, 15 Jan 2021 18:23:22 GMT
Pragma: no-cache
Server: nginx
Content-Type: application/json;charset=UTF-8
Client-Date: Fri, 15 Jan 2021 18:23:22 GMT
Client-Peer: ****
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
Client-SSL-Cert-Subject: /C=US/ST=California/L=San Jose/O=Zoom Video Communications, Inc./CN=*.zoom.us
Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384
Client-SSL-Warning: Peer certificate not verified
Client-Transfer-Encoding: chunked
Client-Warning: Missing Authenticate header
Content-Security-Policy: upgrade-insecure-requests; …’;

{“reason”:“Invalid Token!”,“error”:“invalid_request”}

My current refresh token:
eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiJlOTUwZTBlNy0yYTZhLTQxYzYtOWRkYi1hZjYzZmI4ZDU1MGEifQ.eyJ2ZXIiOjcsImF1aWQiOiJkMDg2ZDU2MjIyN2E1MjM3M2UxNDRmZjNjODQ3Zjk4YyIsImNvZGUiOiJLYmlxZDJMTUNTX0JKUlZoTjV0VGxlZjhISFBWcm9CRHciLCJpc3MiOiJ6bTpjaWQ6OUozQ3g3dEJTZzJlTk13ak9aV21qUSIsImdubyI6MCwidHlwZSI6MSwidGlkIjowLCJhdWQiOiJodHRwczovL29hdXRoLnpvb20udXMiLCJ1aWQiOiJCSlJWaE41dFRsZWY4SEhQVnJvQkR3IiwibmJmIjoxNjEwNzM0NDQyLCJleHAiOjIwODM3NzQ0NDIsImlhdCI6MTYxMDczNDQ0MiwiYWlkIjoiMzNSZk4xTDBTdWlxdklZOXpjcFhmdyIsImp0aSI6ImExNWNiOTAzLTUyNzUtNGM1Yy04ZGU2LTE0OTI3YzAzOWM3NyJ9.OlvGRc5vCYWBYzsia7z7BocRRcsoigUdrdnW0GAapy2dE2cpgdcIqlHIixdaqBkfMl03oqnis3kna1jOX7ow2Q

Tried it in Postman and it gives the same error.

Hi @mattexware,

Thanks for reaching out about this.

Can you please ensure that you’re using the most up to date refresh token? Please note that each time an access token is retrieved, both the access_token and refresh_token are refreshed, invalidating the previous refresh token.

Additionally, please ensure that you’re passing an Authorization header:

Let me know if this helps,
Will

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.