does the OAuth 2.0 flow support expires_in for refresh tokens? It appears that Zapier doesn’t actually look at the expres_in field to determine if the accessToken is invalid - it instead calls the API so we need to return 401 to Zapier every time an access token goes bad. This seems like a security issue by making it more difficult to find real unauthorized attempts from bad actors.
Page 1 / 1
Hi
Yes, you are right that Zapier foes not use the ‘expired_in’ field to determine if a token is invalid. We depend on receiving a 401 status code error, then automatically refreshing the access token.
If the attempt is being made from bad actors, they would not have a valid access token in the first place, so the authentication would not be successful.
Hope that helps.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.