The refresh_token used to access the API is valid for a single use.

Question

Hi everyone, 
 I'm currently working on establishing a connection between an external application and the Sugar API. Initially, I'm using the password grant_type for my first connection attempt. 
 ```json { "grant_type": "password", "client_id": "{{client_id}}", "client_secret": "{{client_secret}}", "username": "{{username}}", "password": "{{password}}", "platform": "{{platform}}" } ``` 
 This setup successfully returns both the access_token and the refresh_token. I'm storing these tokens in my cache and utilizing the access_token for operations. However, after an hour, the access_token expires, prompting me to use the refresh_token to obtain a new access_token. 
 ```json { "grant_type": "refresh_token", "refresh_token": "{{refresh_token}}", "client_id": "{{client_id}}", "client_secret": "{{client_secret}}", "platform": "{{platform}}" } ``` 
 Here's where the issue arises: the refresh_token can only be used once. Subsequent attempts to use the same refresh_token fail, as it changes after its initial use. I'm unsure if this behavior is intended or if it's a bug. Moreover, I'm struggling to grasp the practical use case for the refresh_token if it's only usable once. 
 Your insights on this matter would be greatly appreciated. 
 Thanks.

Raul Bethencourt Gonzalez · Answer

Raul Bethencourt Gonzalez 
 
 The refresh token changes as it has it's own expire time too. Every time you request a new token the refresh token update too. You cannot use the same one every time. support.sugarcrm.com/.../ 
 {
 "access_token": "...",
 "expires_in": 3600,
 "token_type": "bearer",
 "scope": null,
 "refresh_token": "...",
 "refresh_expires_in": 6800,
 "download_token": "..."
}