AnsweredAssumed Answered

access_token changes when refreshing with refresh_token

Question asked by Mika Majala on Sep 6, 2016
Latest reply on Sep 9, 2016 by Mika Majala

Hi all,


I'm wondering if one of my scripts is working as intended. Here's the situation:


I save the access_token and refresh_token tokens and their expiration times to database. When retrieving the access_token I also check if the expiration time has passed (with 10 minutes of headroom) and if so I use the refresh_token to update the access_token expiration.


The thing that I'm wondering is, why does the access_token itself change? Is it supposed to? Let's say I have an access_token "47e4c78c-65d4-5cda-ac74-57ce9a73d47e" that has expired and I refresh it. Suddenly it changes to "6e34021a-59c9-29ea-2fc9-57cea31af19d".


Here are the arguments I pass to /oauth/token when refreshing:

$token_arguments = array(
    "grant_type" => "refresh_token",
    "refresh_token" => $refresh_token,
    "client_id" => "xyxyxy",
    "client_secret" => "xyxyxyxy"

If required I will post some more code, but I will likely have to edit some stuff out (like the client_id & client_secret here).


Also, sometimes the access_tokenrefresh_token seem to get invalidated much sooner than what the response claims. The response has expires_in set to 1 hour and refresh_expires_in set to 14 days, but it seems they (both) can invalidate in as little as 5-10 minutes which results in the remainder of the script to fail because I'm checking the expirations from what I have saved. Why can they get invalidated sooner than they're supposed to? It seems random too.


Thank you in advance!



PS. Our instance is on-demand, including the sandbox that I'm currently testing this script with, so I can't check for a lot of the config settings without contacting support. The sandbox does not have any other traffic to it.