Skip to main content

I am using expiring access-tokens in my application. I followed the steps here for the authorization process. Everything works fine until we reach the step5: where we try to fetch the access-token using the refresh-token.

I store the refresh-token in the backend and make an API call to fetch the updated access-token whenever a MIRO REST API is called, and update the refresh_token in case the fetched refresh_token is not the same as what I have stored in the backend. 

Everything was working fine up until yesterday, now I keep getting this error:

{
  "status": 401,
  "code": "oauthError",
  "message": "Invalid refresh token: <refresh_token>",
  "type": "error"
}

And for some reason with every call to this API https://api.miro.com/v1/oauth/token?grant_type=refresh_token&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN the refresh_token returned is changed. Even though it shouldn’t because according the docs it doesn’t expire unless it’s been 60 days. 

Any help is greatly appreciated! 

Ahh yes, this is a result of ambiguous wording. I’ll have to go edit our docs after replying here.

To clarify:

Any exchange of an authorization code or a refresh token for a new access token will always return a new refresh token, as well.

If the previous access or refresh tokens were still valid, and not yet expired, they become invalid by the act of requesting a new token. So, every time you use the refresh token to get a new access token, you’ll need to update your stored refresh token to the new value.

Think of it like a “one-time-use” situation for a refresh token. You have 60 days to use it, but once you use it, it’s gone.

Hopefully this helps! Sorry for the confusion.

Joanna

Hi @Joanna Smith 

Thank you for your response, it does help put things in perspective.

Reply


Terms & Conditions