Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


OAuth consumer installed multiple times -- can tokens be managed independently?

I'm installing my OAuth consumer in my account several times. Each time I complete the installation process ( I get an acess token.

It seems that these tokens can be managed independently and refreshing one of them will not invalidate the others. I have tested refreshing one token and all the other tokens were still valid.

Can anyone confirm if this is really the intended behavior? I'm asking this because occasionally (only twice in a lot of tests) refreshing one of these multiple access tokens fails and I have no idea why.

1 answer

1 accepted

0 votes
Answer accepted
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Dec 29, 2022

Hello @Andre Meira ,

Welcome to Atlassian Community!

In order for us to better understand the scenario you are testing, I'd like to ask for the following details : 

  • What is the grant type you are using ?
  • Could you please provide us with the sequence of API calls you are following to get the token and also refresh it? 
  • When you mentioned that refreshing one of these multiple tokens fails, what is the error you are receiving?

Thank you, @Andre Meira .

Patrik S

Hello @Patrik S , thanks for your reply.

  1. I am using Authorization Code grant
  2. As per the documentation:
    1. Redirect the user to Bitbucket for authorization and use the OAuth code to request a token, as specified here --
    2. Refresh the token as specified here --
  3. I get a 400 Bad Request with the following error response
    {"error": "invalid_request", "error_description": "Invalid refresh_token"}


    In case it's not clear from my original question, I'm performing step 2.1 multiple times in the same user account. Each time I get back a different access/refresh token pair and it seems they can be managed independently without invalidating previous tokens.

Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jan 05, 2023

Hello @Andre Meira ,

Thank you for providing additional context!

The first time you access the authorization grant URL, you will be prompted to grant consent for that OAuth consumer to make requests on your account's behalf. Once you provide the consent, you will be redirected to the redirect_url configured in the OAuth consumer, with the Authorization code as part of this URL. 

1. This Authorization code can be used one-time only to exchange for an access token.

curl -X POST -u "client_id:secret" \ \ -d grant_type=authorization_code -d code={code}

2. You can get a new code by accessing the authorization grant URL again :{client_id}&response_type=code

3. Or directly get a new access token by using the refresh token that was included in the response of 1. :

curl -X POST -u "client_id:client_secret" -d grant_type=refresh_token -d refresh_token=<refresh_token>

Every time you exchange the code for an access token or use the refresh token to get a new access token, the access token will be different. However, the refresh token will be always the same. An access token expires in 2 hours, while the refresh_token has no expiration. Generating a new access token will not revoke the previous access tokens, and they will continue to expire after 2 hours of their creation. 

It's important to note though that if you change the scopes of your OAuth consumer, the previously generated access and refresh tokens will be revoked and the user will have to Authorize the app again. A new refresh token will be generated when you first exchange your new Authorization code for an access token. If you try to use the old refresh token after the Oauth scope change, you will get the "Invalid refresh token" error.

Hope that helps to clarify your questions!

Thank you, @Andre Meira ! 

Hi @Patrik S

Thanks for your reply it was very helpful!

The error I mentioned occurred during a period of heavy testing and it is possible that we changed the scopes of the OAuth consumer, which could have lead to the "Invalid refresh token" error.

In the meanwhile, we have finished testing, the use of the OAuth consumer has reached a "steady state" and we did not have any similar problems. So I believe the error occurred due to changes during testing.

Thanks again for the support.


Like Patrik S likes this
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jan 06, 2023

Hello @Andre Meira !

You're very welcome!

Happy to have been of some help :) Feel free to reach out to the community in case you have any other questions.

Thank you!

Suggest an answer

Log in or Sign up to answer
Site Admin
AUG Leaders

Atlassian Community Events