refresh_token becoming invalid a few days after successful authentication

Forum for users and developers of Bullhorn's API service.

Moderators: StaffingSupport, s.emmons, BullhornSupport

Post Reply
Posts: 2
Joined: Wed Sep 04, 2019 12:22 pm

refresh_token becoming invalid a few days after successful authentication

Post by adcooley »

We are running into issues where the refresh_token we have successfully acquired becomes invalid after a few days of successful re-fetch/storage of the refresh_token
  • When the expiration period has passed (10 minutes for us) we are able to successfully re-request an access_token using the refresh_token, after which we store the new refresh_token. This is working fine for the first few days. Then suddenly our re-request of the refresh_token leads to storage of an invalid token and we can no longer make new requests.
  • Our API occasionally makes requests on parallel background workers. I wouldn't expect there to be a race condition storing the new refresh_token on our end unless Bullhorn is responding with multiple valid new refresh_tokens on separate requests (the first one should win out if I'm understanding correctly, and the 2nd should fail to respond)
  • I also found this document https://1agb93314bcf1knhv22id9u9-wpengi ... tokens.pdf which states a variety of reasons, some out of our control, where a refresh_token would become invalid. It then seems like we would need user intervention to obtain a new valid refresh_token??
This is a huge problem for our customers as they expect the Bullhorn integration to operate seamlessly without constant re-logins. Can you advise on the way we are re-requesting and storing refresh_tokens? Should we be locking to prevent making parallel requests for a new refresh_token?

Thank you

Posts: 24
Joined: Fri Feb 15, 2019 10:31 am

Re: refresh_token becoming invalid a few days after successful authentication

Post by mholmemi »

Hi adcooley,

This is Mikaela from Bullhorn Support. It sounds like you might be making parallel calls to get the new access token with the refresh token, which would make the token invalid.

While the refresh tokens don't expire, they will only valid until you generate the next one. A valid refresh token can be used to generate a new access token, which also gives you a new refresh token. Once you have a new access token, you can make the GET /login call again to generate a new BhRestToken.

We advise storing each new refresh token locally so that it can be used programmatically to generate new sessions.

I hope that helps!

Please let me know if you have any additional questions.

Mikaela Holme-Miller | Tier II/Enterprise Support Analyst

Post Reply