Skip to main content

OAuth2 refresh token lasts for only a single request


Hi


I’m building a PHP app and I implemented the OAuth flow described in the documentation



however, after I successfully receive my refresh token, it only works for one request, the following request always fails

Any reason why it won’t allow me to use the refresh token again in offline mode?


Thanks

5 replies

rbarbosa Box
  • Developer Advocate
  • 553 replies
  • January 17, 2024

Hi @user172 , welcome to the forum.


That is by design.


When you use the refresh endpoint POST /oauth2/token, sending the refresh token, you get back a fresh access token valid for 60 minutes, but also a fresh refresh token, valid for 60 days.


The next time you try to refresh the access token you must use the previous refresh token.


In case there is some concurrency in the refrsh, the platform handles it fine, and returns the same new pair of tokens.


Let us know if this helps.


Cheers


  • Author
  • New Participant
  • 2 replies
  • January 18, 2024

Hi @rbarbosa

I posted to /oauth2/token and got the fresh refresh token, that’s the token I was referring to that only works once…

thanks


rbarbosa Box
  • Developer Advocate
  • 553 replies
  • January 18, 2024

I maybe missing your point then.


The refresh token is indeed single use, that is by design.


The access token can be used multiple times until it expires after 60 minutes.


When you use the refresh token, you get a new access token and a new refresh token.


After the new access token expires you use the new refresh token and start the process over.


When a new refresh token is generated, the old ones stop working, with the exception for concurrency I mentioned.


If that happened or if somehow the refresh token is lost, try to re-authorize the application, and start over if possible.


  • Author
  • New Participant
  • 2 replies
  • January 18, 2024

thanks @rbarbosa I was able to get it working by saving the refresh token when requesting the access token (although other OAuth implementations do not require with the offline option)


rbarbosa Box
  • Developer Advocate
  • 553 replies
  • January 18, 2024

Awesome!


And yes… Box goes above and beyond when it comes to authentication.


Cheers


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings