Hello @Patrik S , thanks for your reply.

1. I am using Authorization Code grant
2. As per the documentation:
   1. Redirect the user to Bitbucket for authorization and use the OAuth code to request a token, as specified here -- https://developer.atlassian.com/cloud/bitbucket/rest/intro/#1--authorization-code-grant--4-1-
   2. Refresh the token as specified here -- https://developer.atlassian.com/cloud/bitbucket/rest/intro/#refresh-tokens
3. I get a 400 Bad Request with the following error response
   

   {"error": "invalid_request", "error_description": "Invalid refresh_token"}

    

   In case it's not clear from my original question, I'm performing step 2.1 multiple times in the same user account. Each time I get back a different access/refresh token pair and it seems they can be managed independently without invalidating previous tokens.

Hello @Andre Meira ,

Thank you for providing additional context!

The first time you access the authorization grant URL, you will be prompted to grant consent for that OAuth consumer to make requests on your account's behalf. Once you provide the consent, you will be redirected to the redirect_url configured in the OAuth consumer, with the Authorization code as part of this URL. 

1. This Authorization code can be used one-time only to exchange for an access token.

curl -X POST -u "client_id:secret" \ https://bitbucket.org/site/oauth2/access_token \ -d grant_type=authorization_code -d code={code}

2. You can get a new code by accessing the authorization grant URL again : 

https://bitbucket.org/site/oauth2/authorize?client_id={client_id}&response_type=code

3. Or directly get a new access token by using the refresh token that was included in the response of 1. :

curl -X POST -u "client_id:client_secret" https://bitbucket.org/site/oauth2/access_token -d grant_type=refresh_token -d refresh_token=<refresh_token>

Every time you exchange the code for an access token or use the refresh token to get a new access token, the access token will be different. However, the refresh token will be always the same. An access token expires in 2 hours, while the refresh_token has no expiration. Generating a new access token will not revoke the previous access tokens, and they will continue to expire after 2 hours of their creation. 

It's important to note though that if you change the scopes of your OAuth consumer, the previously generated access and refresh tokens will be revoked and the user will have to Authorize the app again. A new refresh token will be generated when you first exchange your new Authorization code for an access token. If you try to use the old refresh token after the Oauth scope change, you will get the "Invalid refresh token" error.

Hope that helps to clarify your questions!

Thank you, @Andre Meira ! 

Hi @Patrik S

Thanks for your reply it was very helpful!

The error I mentioned occurred during a period of heavy testing and it is possible that we changed the scopes of the OAuth consumer, which could have lead to the "Invalid refresh token" error.

In the meanwhile, we have finished testing, the use of the OAuth consumer has reached a "steady state" and we did not have any similar problems. So I believe the error occurred due to changes during testing.

Thanks again for the support.

Cheers!

Hello @Andre Meira !

You're very welcome!

Happy to have been of some help :) Feel free to reach out to the community in case you have any other questions.

Thank you!