Why does refresh token change when generating new access token

sabraha5 · July 9, 2020, 1:52pm

Description
We have generated access/refresh token based on User OAuth code using “https://api.zoom.us/oauth/token?grant_type=authorization_code&code={code}” and able to utilize access token…when we look to generate a new access token using the refresh token using “https://api.zoom.us/oauth/token?grant_type=refresh_token&refresh_token={{refreshtoken}}”, the refresh token seems to be updated. I thought the refresh token doesn’t expire for 15 years and so why does a new value get generated every time generating an access token?

Error
The full error message or issue you are running into.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth

Which Endpoint/s?

https://api.zoom.us/oauth/token?grant_type=refresh_token&refresh_token={{refresh_token}}

michael.zoom · July 14, 2020, 4:04am

Hi @sabraha5, the refresh token is intended to be single use for one transactional exchange of a new access token.

The OAuth process matches the client application’s requested scopes to the individual user’s permissions, allowing a valid access token to authorize the associated APIs within the expiration time of 1 hour.

The refresh token is used in verifying that the user’s permissions, client app scopes, and client app installation (user authorization) all still match, and that a new access token should be provided. This invalidates the previous access token and refresh token pair, providing a new unique pair.

sabraha5 · July 14, 2020, 4:21am

hey @michael.zoom…thank you very much for the response/feedback! yeah you know maybe I am reading the documentation incorrectly when it states refresh token is valid for 15 years…maybe if not used to regenerate accesstoken it is valid for that long…but as you stated once accesstoken is regenerated, the refreshtoken also gets regenerated…we have changed our logic to correctly save off the regenerated refresh token…

tommy · July 16, 2020, 6:29pm

Hey @sabraha5,

Correct! If the access token is never refreshed, the refresh token will be available for 15 years to refresh the token.

But yes, the refresh token regenerates after each refresh. We will make this more clear in our docs! Thanks for your feedback!

Thanks,
Tommy

Topic		Replies	Views
Refresh Token expires after few hours when ever we need to get Access Token API and Webhooks	10	3662	December 19, 2020
Question about OAuth refresh_token API and Webhooks	4	661	August 21, 2020
OAuth refresh token was working, now is not API and Webhooks	4	1578	December 1, 2021
Questions Regarding OAuth Tokens API and Webhooks	2	419	September 30, 2020
Access and refresh token changes in V2 API and Webhooks api	5	1430	September 14, 2023

Why does refresh token change when generating new access token

Related Topics