| Announced on | Phase 1 rollout | Phase 2 rollout |
| April 30, 2025 | April 30 - May 30, 2025 | June 30, 2026 - April 1, 2027 |
Starting today, customers can adopt the OAuth refresh token grant type as per the OAuth 2.0 standard, along with support for access and refresh token expiration. Third-party app developers (those publishing integrations and apps on the Marketplace) will be required to adopt the OAuth refresh_token flow by January 31, 2026. Customers are required to do so by April 1, 2027.
This announcement includes the following topics:
What is changing?
Zendesk is introducing the OAuth refresh token grant type in two phases to transition to mandatory token expiration. This grant type is used to refresh an already expired, or soon to be expired, access token. The team is making this flow available for you to adopt today. Third-party app developers must adopt the OAuth refresh flow by January 31, 2026 and by April 1, 2027 it will be required for all customers to use.
The flow is utilized by passing a valid refresh_token parameter to the /oauth/tokens endpoint using grant_type: refresh_token to generate a new OAuth access token. A successful request will also return a refresh token and delete the previous access and refresh tokens. To allow for thorough testing of the refresh_token flow and token expiry, you can also pass expires_in and refresh_token_expires_in parameters to the /oauth/tokens endpoint when utilizing both the authorization_code and refresh_token grant types to set access token expirations. If you set an expiry, it will be applied and enforced.
Refresh tokens will be granted on all new OAuth token requests. Existing OAuth tokens will not be able to be refreshed. Any existing applications and integrations will continue to work as expected. OAuth clients created after April 30, 2026, automatically have the default time-to-live (TTL) enforced.
| Token type | Default TTL | Minimum TTL | Maximum TTL |
| Access token | 30 minutes | 5 minutes | 48 hours |
| Refresh token | 30 days | 7 days | 90 days |
Phase 1: Adoption (available now)
Customers and third-party app developers can now adopt the refresh_token flow. This grant type is used to refresh an already expired, or soon to be expired, access token.
Phase 2: Enforcement (starting June 2026)
Zendesk will begin enforcing token expiration for existing local OAuth clients. Phase 2 enforcement occurs in monthly waves from June 30, 2026 through April 1, 2027. On your scheduled enforcement date, token expiration will be enforced for all local OAuth clients in your account. We will notify you directly ahead of your scheduled enforcement date.
Why is Zendesk making this change?
This update further aligns us with the OAuth 2.0 standards, providing customers and developers with more robust and flexible API authentication.
What do I need to do?
If you are using OAuth to authenticate API requests, your application or integration must adopt the refresh_token grant type. For more information, see Using OAuth authentication with your application.
If you have feedback or questions related to this announcement, visit our community forum where we collect and manage customer product feedback. For general assistance with your Zendesk products, contact Zendesk Customer Support.