The procedure for increasing the token tolerance (token_index) and its impact

Hello, we have a public app with a current token tolerance of 1 (any time a user can have only one valid access token) but we are using the same app in two different systems and both of these systems have integrations with active users. Now, the issue is that there might be users using both the systems and with both systems, they might want to integrate with Zoom but here’s what will happen if they do. Assume, the below case:

  1. User XYZ logs into our legacy system and authenticate with Zoom, this will generate an access token.
  2. The same user now logs into our newer system and integrate with zoom on it as well. This will generate another access token.
  3. After generating the second access token, the first one gets invalidate and in the legacy integration will stop working.

To tackle the above scenario, I was going through different articles and came across this article Request to increase OAuth token_index tolerance - #4 by jlsingleton

I believe the answer to my problem is that I get Zoom to increase the token tolerance for my s2s-oauth app. I have the following questions now:

  1. What is the exact procedure of increasing the token tolerance and whom should I be contacting?
  2. How long it usually takes to get this done, i.e. get my tolerance increased.
  3. This is the most important bit, our legacy system is using the token endpoint “” and we are not using the “token_index” query parameter in that endpoint and we want it to remain like that. We do not want to make any changes in that endpoint and add the token_index query parameter to it.
  4. Now keeping in mind point 3 above, if we increase the token tolerance of our app, will the endpoint mentioned above keep working without the token_index query parameter or after the increase in tolerance, the query paramter becomes required and we must then add the query paramter in all of our endpoints (token endpoints)? If the parameter is not required then what does that mean? Which index will be used if I do not mention the index? Will it by default mean that the 0th token index is being used if I do not specify? The reason we ask this is that we do not want to make changes to the legacy endpoint and after getting the tolerance increase, we are assuming that without sending the query parameter, it will always default to 0th index. Is that assumption correct?

Please do gives us clarity on the above, thank you.

Hi @apps2 ,

Token tolerance for user-level OAuth apps will not require token_index, nor a difference in API querying on your end – that’s specific to Server to Server OAuth.

I will message you for your app name, developer email, production client id and token increase number and will get that processed for you :slight_smile:

@gianni.zoom So, I do not have to use any query parameters in order to generate multiple access tokens without invalidating the previously generated access tokens? Can you share an example of how multiple access tokens can be generated for the user-level OAuth app?

@gianni.zoom any updates here?

Hi @apps2 ,

We increase the tolerance for your app on our end so that you can have multiple concurrent valid tokens up to a certain number. You will not have to change anything on your end. There’s also a feature request to support multiple access tokens per app so developers can avoid this going forward (ZOOM-429593). When it is released for production, Zoom will share!

@gianni.zoom so I am getting this right, let me know if the below is correct given that I do not have to change anything at my end or mention the index number in the token calls:

  1. You will have my app’s tolerance increased to a certain number. Let’s say 3
  2. My users will log in using my app. If they log into three different environments using the same OAuth app, they can have three valid concurrent access tokens.
  3. If now, they log in again, the oldest access token will get invalidated?

And also, can you please confirm whether this can be tested on an unverified app? I want to test this on our test app which has not been published on the Zoom marketplace as of yet. I want to test these changes there before I make changes into my actual production app

@gianni.zoom any updates on this? I would like to proceed with this as I would like to test this and have the app up and running. What are the next steps here and can you also respond to the above comment?

Hi @apps2 ,

Here’s how it works:
Token tolerance [user authorized app] :
By default the token tolerance for all tokens is 0. That means if I generate a new access token with a refresh token, the previous values (access token and refresh token) will become invalid. If I increase the token tolerance, to say 5, my refresh token can be used until 5 new access tokens are generated. However the value of my access tokens will expire as soon as a new one is generated. This is helpful incase a developer looses a refresh token, the end user does not need to authorize.

Does this clarify? If you want to increase your token tolerance, I will reach out to you and get your app name, developer email, production client id and token increase number.