Regarding Access and Refresh Token Behaviors

Hi , 
In our SugarCRM application we are having 3 instances and they are behaving differently .


Please find the query we have raised earlier regarding Invalid access token and refresh token (

The scenario was with all the 3 demo instance and credentials

On first environment , if we test connection ,will get access token a1 and refresh token r1

On Second environment with same demo instance and same credentials if i tried to execute test connection parallelly, we will receive new access token  a2 as well as new refresh token r2 

first environment received  access token a1and refresh token r1 will become invalid.


for the 1st instance 

after creating another connection with same credentials new access token a2 and refresh token r2 is created but also the first connection is working fine with the old access token a1 and refresh token r1. we are not receiving invalid access token and refresh token as earlier.

for the 2nd instance and 3rd instance 

after creating another connection with the same credentials the first connection is failing because of the above mentioned scenario. we are getting invalid access token and refresh token error as earlier.

Is there any recent changes in the SugarCRM application ?. If there is any changes happened can somebody please mention those here.

  • hi  ,

    I read your scenario a few times and I didn't quite understand, could you please clarify what an environment and demo instance is for you? when you say "instance" are you saying parallel processing and environment is an actual sugar install?

    I can tell you that there are no changes in the core code related to authentication, what could've happened is you're now using our Sugar IDM but that wouldn't change any of the oauth mechanism for you through our endpoint APIs.

    As I didn't understand your use case, I'm gonna put down our login/auth best practices here:

    1. As a pre-requisite, make sure you have your own Platform setup in Sugar
      1. This is a one-time thing per instance that we can automate
      2. I will add this to your package so you don’t have to do it manually, but on your current instance just do it.
      3. Once that step is done, you can move to point 2
    2. Trigger sugar oauth2/login (see sample 1) save your access_token and refresh_token
      1. Implement an interceptor looking for 401
      2. Here’s an example you can base yourself on
      3. It basically “catches” an error, uses the refresh_token from step 2) and uses it to get a new token
    3. Make all your requests in parallel, bulk whatever you use to integrate and use the access_token
      1. You shouldn’t have to refresh tokens as they are supposed to be short-lived by your integration
      2. Our access token is for 1 hour (see defaults), so you have Zapier has 1 hour to exchange data for each integration session.
    1. Logout from Sugar to clean up that token when you’re done with your integration.


    Payload for /oauth2/token

        "platform":"<your platform from pre-requisite>"

    Hope this helps, 

    SugarCRM | Principal Developer Advocate