OAuth2 refresh token lasts for only a single request


I’m building a PHP app and I implemented the OAuth flow described in the documentation

however, after I successfully receive my refresh token, it only works for one request, the following request always fails
Any reason why it won’t allow me to use the refresh token again in offline mode?


Hi @user172 , welcome to the forum.

That is by design.

When you use the refresh endpoint POST /oauth2/token, sending the refresh token, you get back a fresh access token valid for 60 minutes, but also a fresh refresh token, valid for 60 days.

The next time you try to refresh the access token you must use the previous refresh token.

In case there is some concurrency in the refrsh, the platform handles it fine, and returns the same new pair of tokens.

Let us know if this helps.


Hi @rbarbosa
I posted to /oauth2/token and got the fresh refresh token, that’s the token I was referring to that only works once…

I maybe missing your point then.

The refresh token is indeed single use, that is by design.

The access token can be used multiple times until it expires after 60 minutes.

When you use the refresh token, you get a new access token and a new refresh token.

After the new access token expires you use the new refresh token and start the process over.

When a new refresh token is generated, the old ones stop working, with the exception for concurrency I mentioned.

If that happened or if somehow the refresh token is lost, try to re-authorize the application, and start over if possible.

thanks @rbarbosa I was able to get it working by saving the refresh token when requesting the access token (although other OAuth implementations do not require with the offline option)


And yes… Box goes above and beyond when it comes to authentication.