zapier OAuth flow expires_int

  • 15 April 2024
  • 1 reply

does the OAuth 2.0 flow support expires_in for refresh tokens? It appears that Zapier doesn’t actually look at the expres_in field to determine if the accessToken is invalid - it instead calls the API so we need to return 401 to Zapier every time an access token goes bad. This seems like a security issue by making it more difficult to find real unauthorized attempts from bad actors.

1 reply

Userlevel 2
Badge +2

Hi @Code Monkey ,

Yes, you are right that Zapier foes not use the ‘expired_in’ field to determine if a token is invalid. We depend on receiving a 401 status code error, then automatically refreshing the access token.

If the attempt is being made from bad actors, they would not have a valid access token in the first place, so the authentication would not be successful.

Hope that helps.