Invalid refresh token

I’m getting back {"status":400,"message":"Invalid refresh token"} when trying to refresh an access token.

I make the following request to refresh the token:
POST https://id.twitch.tv/oauth2/token?client_id=xxxx&client_secret=yyy&grant_type=refresh_token&refresh_token=zzz

Here is how my flow works:

  1. Get code
  2. Get access token/refresh/expire token from code
  3. Save access token/refresh/expire token from code
  4. When making request on behalf user, check if access token has expired. If so, refresh token using the request above and save to database
  5. Make request using current token

Its possible that tokens aren’t being refreshed within the expiration time but to my understanding, refresh tokens do not expire on the expires_on date.

Any guidance to why I’m having this issue?

Something caused the refresh token to die, this could be including but not limited to

  • user changed their password
  • user unlinked your application
  • user generated 25 tokens against your application ID (token 26 kills token 1 and may kill it’s refresh)

i know for sure they they didnt change password or unlink application.

when you say generated 25 tokens, wouldnt the way i store and use tokens avoid this? every single time i get a new token, i store it in the database along with the new refresh token and use that one from now on.

sure in theory.

But I didn’t list every possible

Just the most common, there are a bunch of unknown’s that could kill a token/refresh token

I can rule out users changing password or unlinking application because that should return 401:

When a user changes their password or disconnects an app, we delete all tokens for that user. Both refresh and access tokens for that user will return 401 Unauth

I can rule out the old token being killed because im always using the most recent token.

Is there a complete list of other reasons of what else could be going wrong?

No

@BarryCarlyon, do you have any other recommendations on how to troubleshoot? I’m only experiencing these issues under my production server, which manages many more accounts than my dev server. The dev server never has this issue

I just get my users to reauth when I lose a refresh token from working

@BarryCarlyon, its a business requirement that they dont have to reauth often. any work arounds?

Not that I know of

Whenever a token/refresh token dies the only solution is new tokens

For me if effects only one of my users