Problem with refresh tokens - started Saturday


We have been successfully using refresh tokens to get new access tokens for a few months now with the same code. Starting Saturday, we began getting invalid_refresh_token back a LOT. In our auth server, we have the refresh tokens set to stay good for an unlimited time as long as they are used at least every 7 days. However, that behavior is no longer happening. The refresh token seems to be expiring after like 24 hours, in contradiction to our settings. Did a new code release happen on Okta’s side that may have changed or broken things and how do we solve?


We added a cleanup job for expired and unused refresh tokens. Unfortunately, that job had a bug that caused it, in certain instances, to cleanup active tokens. We have paused the job and will not turn it back on until a bug fix is rolled out. Your new refresh tokens should have the proper expiration.

I apologize for the inconvenience that this has caused.

Hi John,

Thanks very much for the prompt response. Definitely a bad bug! All of our customers on mobile and Gmail plug-in were asked to re-authenticate.