We’re making some changes to the default behavior of new global OAuth clients so that access and refresh tokens automatically expire. Additionally, the current deadline for existing local (non-global) OAuth clients to adopt the refresh token flow has been extended to April 1, 2027.

This announcement includes the following topics:

• What is changing?
• Why is Zendesk making this change?
• What do I need to do?

What is changing?

As of February 2, 2026, the previously announced change requiring global OAuth clients to use the refresh token flow is now in effect. Accordingly, we are enforcing the default TTL (time to live) for access and refresh tokens for (1) all newly created global OAuth clients (also called external OAuth clients) and (2) existing global OAuth clients with no usage, or no usage in the past 3 months. For global OAuth clients with more recent usage, expirations will be applied as part of the ongoing efforts to carry out our enhanced security guidelines.

Additionally, starting April 30, 2026, all newly created local (non-global) OAuth clients will automatically have the same default TTLs applied. The previously announced deadline to adopt the refresh token flow has been extended to April 1, 2027.

Why is Zendesk making this change?

To strengthen security and align with modern standards, we’re requiring OAuth 2.0 refresh tokens for all global OAuth clients created after February 2, 2026. This ensures access tokens are short-lived and rotated, which greatly reduces the window of opportunity if a token is exposed. With the frequency and sophistication of attacks and data breaches rising worldwide, adopting refresh tokens is an increasingly common industry best practice to limit the impact of credential exposure.

What do I need to do?

1. In Admin Center, click  Apps and integrations in the sidebar, then select APIs > External OAuth clients.
2. Find the client in the list whose tokens you want to view.
3. Click the options menu next to the client and select View token to see the “Last used at” timestamp.

If you're a third-party app developer, you can use the following general guidelines to prepare your app for OAuth token expiration and refresh handling. The exact implementation details will vary depending on your application and how it's built. For more information, see Working with OAuth refresh tokens.

1. Implement the refresh flow so your app can renew access without forcing users to reauthorize. Use the /oauth/tokens endpoint with grant_type=refresh_token to obtain a new access token. If you use an OAuth client library or package, review its documentation to confirm it supports refresh tokens (and automatic token refresh) and update your configuration or version as needed. Depending on your OAuth client implementation, you may also need to update how you store refresh tokens and handle access token expiration.
2. Handle the rotation and expiration. Refresh access tokens before they expire (or when an OAuth-authenticated request returns a 4xx response) to avoid interruptions, and replace old refresh tokens when a new one is returned.
3. Handle failures gracefully. If a request authenticated with OAuth fails, or if a request to refresh the access token is unsuccessful, show users a clear message and prompt them to reauthorize the app so it can obtain a new access and refresh token.
4. Monitor and support the rollout.

If you have feedback or questions related to this announcement, visit our community forum where we collect and manage customer product feedback. For general assistance with your Zendesk products, contact Zendesk Customer Support.