Changes to OAuth2 Refresh Tokens


Breaking Changes

The OAuth2 Refresh Token POST endpoint now supports two new mandatory query parameters:

  • client_id - The original Client ID received by Spendesk
  • client_secret - The original Client Secret received by Spendesk

These two new parameters are needed for us to successfully rotate your access and refresh tokens in a more secure fashion. Without them, the request will result in a response with the status code 400.

In addition to the breaking changes announced above, the OAuth2 Refresh Token POST endpoint also now returns a new property:

  • refresh_token - The new refresh token to be used from then on out

This new refresh token will invalidate the previously returned one in the OAuth2 Access Token POST endpoint, and has a validation period 30 days.