InvalidRefreshTokens and Recovering Refresh Tokens

(William Green) #1

Every Monday our application updates the refresh tokens for all of our connected Dwolla accounts.

This morning 6 of our accounts failed to refresh the token and now we are getting the following error when we refresh the tokens for those accounts:
DwollaV2::AccessDeniedError: {“error”=>“access_denied”, “error_description”=>“Invalid refresh token.”}

I have two questions:

(1) Is there a reason why certain accounts would fail to refresh the token, while others would not? We did not receive any errors when updating the refresh tokens on a weekly basis.
(2) How do we get new refresh tokens for our linked accounts? Asking users to re-OAuth into our portal is a very difficult ask.

(Cory Anderson) #2

Hey William,
Refresh tokens are only good for 60 days. Have you tried to save the updated refresh token when you receive a refresh token?

(William Green) #3

Yes - we save the Refresh Tokens every time we update them every Monday. We have roughly 20 accounts that are live that we refresh regularly, however 6 of them became inactive. This leads me to believe that there is something odd with the 6 Dwolla accounts.

Is there any way to get a valid refresh token for the account after it has become inactive? Or is the ONLY way to get a new refresh token is to have the user re OAuthenticte? This would require us to contact our customers to ask them to go through this process again and we would like to avoid this.

Thanks for your help,

(Spencer Hunter) #4

@William_Green, One thing that comes to mind is that you failed to store the newly issued refresh token when you called the API to refresh authorization. I am seeing a high number of requests yesterday morning to refresh access tokens that are issued to your application. This looks pretty atypical compared to requests you’ve made in the past to refresh authorization.

Yesterday you had 82 refresh requests. 23 failed and 59 succeeded. On Monday you only had 1 refresh request which closely aligns with previous weeks.

Something to note: if you call the API to refresh authorization you should get back a new access token and refresh token pair. That previously issued refresh token that you had stored should still be valid and should give you back the current access token and refresh token pair. Once you use the latest refresh token to obtain a new access token and refresh token pair then the refresh token was issued two times ago will be invalidated.

If you have a “stale” refresh token then unfortunately the user will be required to reauthorize your application. A stale refresh token can also occur if the user revokes authorization to your application on This is unlikely but can occur so I wanted to point it out.

(William Green) #5

I appreciate the response Spencer, we are going through our accounts and asking them to re-authenticate.