Hi @sabraha5, the refresh token is intended to be single use for one transactional exchange of a new access token.
The OAuth process matches the client application’s requested scopes to the individual user’s permissions, allowing a valid access token to authorize the associated APIs within the expiration time of 1 hour.
The refresh token is used in verifying that the user’s permissions, client app scopes, and client app installation (user authorization) all still match, and that a new access token should be provided. This invalidates the previous access token and refresh token pair, providing a new unique pair.
hey @michael.zoom…thank you very much for the response/feedback! yeah you know maybe I am reading the documentation incorrectly when it states refresh token is valid for 15 years…maybe if not used to regenerate accesstoken it is valid for that long…but as you stated once accesstoken is regenerated, the refreshtoken also gets regenerated…we have changed our logic to correctly save off the regenerated refresh token…