improved
Changes to OAuth2 Refresh Tokens
5 months ago by Spendesk API team
Breaking Changes
The OAuth2 Refresh Token
POST
endpoint now supports two new mandatory query parameters:
client_id
- The original Client ID received by Spendeskclient_secret
- The original Client Secret received by SpendeskThese two new parameters are needed for us to successfully rotate your access and refresh tokens in a more secure fashion. Without them, the request will result in a response with the status code
400
.In addition to the breaking changes announced above, the OAuth2 Refresh Token
POST
endpoint also now returns a new property:
refresh_token
- The new refresh token to be used from then on outThis new refresh token will invalidate the previously returned one in the OAuth2 Access Token
POST
endpoint, and has a validation period 30 days.