Skip to main content
Question

zapier OAuth flow expires_int

  • April 15, 2024
  • 1 reply
  • 34 views

does the OAuth 2.0 flow support expires_in for refresh tokens? It appears that Zapier doesn’t actually look at the expres_in field to determine if the accessToken is invalid - it instead calls the API so we need to return 401 to Zapier every time an access token goes bad. This seems like a security issue by making it more difficult to find real unauthorized attempts from bad actors.

Did this topic help you find an answer to your question?

1 reply

Forum|alt.badge.img+3
  • Zapier Staff
  • 43 replies
  • April 18, 2024

Hi @Code Monkey ,

Yes, you are right that Zapier foes not use the ‘expired_in’ field to determine if a token is invalid. We depend on receiving a 401 status code error, then automatically refreshing the access token.

If the attempt is being made from bad actors, they would not have a valid access token in the first place, so the authentication would not be successful.

Hope that helps.