About Zapier Community
New to our Community? Get to know more about our space and how to make the most of your time here.

Code of Conduct Community FAQ's Zapier Common Questions What to Expect

Get Started With Zapier
New to Zapier? We have got you covered with our Zapier 101 Resources.

Zapier Essentials

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Zapier Products
Learn more about Zapier's new products.

Zapier Tables Zapier Interfaces

Zapier Reading
All of our best learning resources can be found here.

Featured Articles Show & Tell AI Hub Zapier Tools Hub

Learning Groups
Excited to meet other builders? Check out our interest areas full of doers, dreamers, and in-betweeners.

User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Question

zapier OAuth flow expires_int

  • 15 April 2024
  • 1 reply
  • 8 views
C
Userlevel 1

does the OAuth 2.0 flow support expires_in for refresh tokens? It appears that Zapier doesn’t actually look at the expres_in field to determine if the accessToken is invalid - it instead calls the API so we need to return 401 to Zapier every time an access token goes bad. This seems like a security issue by making it more difficult to find real unauthorized attempts from bad actors.

1 reply

O
Userlevel 2
Badge +2

Hi @Code Monkey ,

Yes, you are right that Zapier foes not use the ‘expired_in’ field to determine if a token is invalid. We depend on receiving a 401 status code error, then automatically refreshing the access token.

If the attempt is being made from bad actors, they would not have a valid access token in the first place, so the authentication would not be successful.

Hope that helps.

Reply


Terms & Conditions