Invalid refresh tokens

Forum for users and developers of Bullhorn's API service.

Moderators: StaffingSupport, s.emmons, BullhornSupport

Post Reply
Posts: 6
Joined: Wed Jan 02, 2019 6:18 am

Invalid refresh tokens

Post by kamilb » Fri May 24, 2019 10:37 am


I have a problem related to the API access.
In my application, I need to continuously access my customers' jobs and candidates.
To achieve that, I have implemented oAuth flow.

After the user authenticates, I store the access_token and refresh_token that I received. I use the access_token to log in to the Bullhorn API and obtain the BhRestToken, which I use for all of the consecutive API requests. When the session expires I refresh the tokens and log in again.
Most of the time it works as expected, but sometimes I get the error telling me that the refresh_token is "expired or invalid". When that happens, the only way to regain the access is to ask customers to reauthenticate.

What might be the reason for the refresh_token to get invalidated and how can I avoid it?


Bullhorn Support Staff
Posts: 931
Joined: Wed Dec 31, 1969 8:00 pm

Re: Invalid refresh tokens

Post by pmularski » Thu May 30, 2019 9:19 am

Greetings Kamilb,

These are the token specifics. Refresh tokens are not designed to expire. Access Tokens expire quickly though.

REST Token: Expires after 30 minutes
Access Token: Expires after 10 minutes
Refresh Token: Never Expires (Unless a new access token and refresh token are generated)

Does that answer your question?
Patrick Mularski
Senior Enterprise Support Analyst
Staffing and Recruiting Software, On Target, On Demand
Bullhorn Support Contact Numbers
US: 617-478-9126
UK: 44 800 032 2848
Australia: 61 28 073 5089
International: 617-478-9131

Posts: 6
Joined: Wed Jan 02, 2019 6:18 am

Re: Invalid refresh tokens

Post by kamilb » Tue Jun 04, 2019 10:01 am

Hello pmularski,

Thank you for your response.
Sadly, it doesn't solve my issue.
I'm aware that both Access Token and REST Token expire pretty quickly and the Refresh Token is not supposed to ever expire.
That's why, whenever the REST Token expires, I use the Refresh Token to obtain a new pair of Access Token and Refresh Token. I use Access Token to obtain new REST Token, and store Refresh Token for the time when I need to refresh them again. This approach works for me most of the time. However, in some relatively rare cases, API returns me the "refresh token is invalid or expired" response when I'm using the refresh token that hasn't been used yet.
I wasn't able to notice any pattern when that happens. Sometimes tokens are being refreshed correctly for a week before I get this error, sometimes it takes months to get the error.
So I guess my question boils down to this: is it possible for the refresh token to become invalidated in any other way than using it for getting new tokens, and if so - in what cases can it happen?

Thank you,

Posts: 14
Joined: Thu Sep 28, 2017 7:34 am

Re: Invalid refresh tokens

Post by ganeshprabhu » Mon Aug 12, 2019 6:54 am

The reason you may make parallel calls to get the new access token with the refresh token. parallel calls make token invalid.
You must carefully watch your API thread How the parallel call will invalidate the token.

Post Reply