Vor Kurzem aufgerufene Suchen
Keine vor kurzem aufgerufene Suchen
Regarding OAuth2.0 refresh_token authentication
Gepostet 17. Juni 2025
Hi Zendesk Teams,
We have noticed that Zendesk has recently enabled support for the OAuth 2.0 refresh_token mechanism,
and we have implemented a fallback mechanism to handle expired access tokens and expired refresh tokens so we’ve been testing the implementation using Postman. Below is the response we received.
Postman Request: Followed this step: https://learning.postman.com/docs/sending-requests/authorization/oauth-20/#using-oauth-20
Response:
We have a few questions:
- In the documentation, the property is listed as expires_in, but in the actual response, we see expires_at. Could you clarify the reason for this difference?
- We observed that the expires_at field is returning null. Is this expected behavior, or is something missing in our request?
- What scopes are required for refresh token support? Currently, we’ve included read and write. Do we also need to add offline_access or any other scopes as part of enabling token refresh?
- Is Zendesk using the standard OAuth 2.0 flow, or are there any customizations in the flow or response attributes that we need to accommodate in our application?
- How can we enable the refresh_token?, by looking at the response it looks like this token will not be expire.
Thanks in advance for your help!
1
1
1 Kommentar
Erica Girges
For the difference between expires_in and expires_at - expires_in is an optional property where you can set the token's expiration time in milliseconds.
There are also 2 separate endpoints for creating tokens: Create Token for Grant Type & Create Token. Create token for grant type requires an authorization code whereas with the Create Token endpoint you do not need an authorization code.
Also in the Create Token endpoint, refresh tokens are not used, therefore you will not have an expiration.
The correct endpoint to use for refresh tokens would be the Create Token for Grant Type.
I recommend looking at this article to get an idea for the OAuth flow for the refresh token grant type. It also walks through how to get the authorization code needed for that grant type.
1
Anmelden, um einen Kommentar zu hinterlassen.