Announcing support for OAuth refresh token grant type and OAuth access and refresh token expirations

Announced on	Rollout starts	Rollout ends
April 30, 2025	April 30, 2025	May 30, 2025

Starting today, customers can adopt the OAuth refresh token grant type as per the OAuth 2.0 standard, along with support for access and refresh token expiration. Third-party app developers (those publishing integrations and apps on the Marketplace) will be required to adopt the OAuth refresh_token flow by September 30, 2025. Customers are required to do so by April 30, 2026.

This announcement includes the following topics:

What is changing?
Why is Zendesk making this change?
What do I need to do?

What is changing?

Zendesk is introducing the OAuth refresh token grant type as the first phase of adopting OAuth access token expiration. This grant type is used to refresh an already expired, or soon to be expired, access token. The team is making this flow available for you to adopt today. Third-party app developers must adopt the OAuth refresh flow by September 30, 2025 and by April 30, 2026 it will be required for all customers to use.

The flow is utilized by passing a valid refresh_token parameter to the /oauth/tokens endpoint using grant_type: refresh_token to generate a new OAuth access token. A successful request will also return a refresh token and delete the previous access and refresh tokens. To allow for thorough testing of the refresh_token flow and token expiry, you can also pass expires_in and refresh_token_expires_in parameters to the /oauth/tokens endpoint when utilizing both the authorization_code and refresh_token grant types to set access token expirations. If you set an expiry, it will be applied and enforced.

During this first phase and starting today, refresh tokens will be granted on all new OAuth token requests. Existing OAuth tokens will not be able to be refreshed. Any existing applications and integrations will continue to work as expected.

Why is Zendesk making this change?

This update further aligns us with the OAuth 2.0 standards, providing customers and developers with more robust and flexible API authentication.

What do I need to do?

If you are using OAuth to authenticate API requests, your application or integration must adopt the refresh_token grant type. For more information, see Using OAuth authentication with your application.

If you have feedback or questions related to this announcement, visit our community forum where we collect and manage customer product feedback. For general assistance with your Zendesk products, contact Zendesk Customer Support.