Vor Kurzem aufgerufene Suchen


Keine vor kurzem aufgerufene Suchen

Regarding OAuth2.0 refresh_token authentication



Gepostet 17. Juni 2025

Hi Zendesk Teams,

 

We have noticed that Zendesk has recently enabled support for the OAuth 2.0 refresh_token mechanism,
and we have implemented a fallback mechanism to handle expired access tokens and expired refresh tokens so we’ve been testing the implementation using Postman. Below is the response we received.

Postman Request: Followed this step:  https://learning.postman.com/docs/sending-requests/authorization/oauth-20/#using-oauth-20




Response:
 



We have a few questions:

  1. In the documentation, the property is listed as expires_in, but in the actual response, we see expires_at. Could you clarify the reason for this difference?
  2. We observed that the expires_at field is returning null. Is this expected behavior, or is something missing in our request?
  3. What scopes are required for refresh token support? Currently, we’ve included read and write. Do we also need to add offline_access or any other scopes as part of enabling token refresh?
  4. Is Zendesk using the standard OAuth 2.0 flow, or are there any customizations in the flow or response attributes that we need to accommodate in our application?
  5. How can we enable the refresh_token?, by looking at the response it looks like this token will not be expire.

 

Thanks in advance for your help!


1

1

1 Kommentar

      Hello! 
       
      For the difference between expires_in and expires_at - expires_in is an optional property where you can set the token's expiration time in milliseconds. 
       
      There are also 2 separate endpoints for creating tokens: Create Token for Grant Type & Create Token. Create token for grant type requires an authorization code whereas with the Create Token endpoint you do not need an authorization code. 
       
      Also in the Create Token endpoint, refresh tokens are not used, therefore you will not have an expiration. 
       
      The correct endpoint to use for refresh tokens would be the Create Token for Grant Type
       
      I recommend looking at this article to get an idea for the OAuth flow for the refresh token grant type. It also walks through how to get the authorization code needed for that grant type.  

      1


      Anmelden, um einen Kommentar zu hinterlassen.

      Sie finden nicht, wonach Sie suchen?

      Neuer Post