Refresh Token Flow
After an Authorization Code Flow with PKCE application generates an access token, it also receives a refresh_token that can be used to refresh the user's access token when it expires. All access tokens only temporarily grant access to the application and once they have expired, they need to be refreshed.
For enhanced security, ZoomInfo automatically enables refresh token rotation. This means that each refresh token can only be used to fetch one new access token. After fetching the new access token, a brand new refresh token is also returned and the previously used refresh token is invalidated. Now only the new refresh token can be used the next time a new access token needs to be generated
Generate an Access Token
For the Refresh Token Flow, there is a single step needed to generate a new access token given a refresh token
Exchange Refresh Token for Access Token
An Authorization Code application can use the refresh token to generate a new access token by sending a POST request to the token endpoint.
This request contains the client_id and client_secret that are used to identify and verify that the external client. There are two ways to provide the credentials to the token endpoint: HTTP Basic Authentication Scheme or Request Body Parameters. The HTTP Basic Authentication Scheme is the recommended method for providing client identification. If the Authorization header is provided, any client identification provided in the request body will be ignored.
POST https://api.zoominfo.com/gtm/oauth/v1/token
Authorization: Basic *********************************
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=refresh_token&
refresh_token=7PV7YVxG0UswgzFFaX-mDMoVRIgN5WEfLS0hfx9qSDoPOST https://api.zoominfo.com/gtm/oauth/v1/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=refresh_token
client_id=0oaf6t3osgvaPvy4E1d7&
client_secret=***************************The following parameters are required for each token exchange request
| Parameter | Description |
|---|---|
grant_type | The type of validation that the client can provide to prove it can be issued access tokens. For this flow the value is always refresh_token |
refresh_token | The refresh token obtained either during the initial authorization or after refresh of an access token. This value is a secret, please protect it accordingly. |
Upon successful verification of the external client's refresh token, ZoomInfo's authorization server will respond with a new access token. The response will always be encoded in the application/json content type.
{
"access_token": "eyJraWQiOiJKdThxUW1tTUx1SG9QSEFVQlJnUmh...jnIn951t3kLf6VZ6SOsYKSVY9kGeNbCGkufCNLQ",
"expires_in": 1000,
"id_token": "eyJraWQiOiJKdThxUW1tTUx1SG9QSEFVQlJnUmh...CUxqHWQpbUXU0TTuzrQilNWEoggi5haJkQ",
"refresh_token": "7PV7YVxG0UswgzFFaX-mDMoVRIgN5WEfLS0hfx9qSDo",
"scope": "api:data:company api:data:contact api:audience:read...",
"token_type": "Bearer"
}| Parameter | Description |
|---|---|
access_token | OAuth token that can be used by applications calling the ZoomInfo API |
expires_in | The length of time, in seconds, that the access token is valid |
id_token | A signed JWT that contains claims about the authentication event and the authenticated user. Unlike an access token (which authorizes access to resources), the ID token is intended for the client application to verify the user's identity. |
refresh_token | This token can be used to refresh the access_token when it has expired. This value is a secret, please protect it accordingly. For more information on how to utilize this token see Refresh Token Flow. |
scope | The list of scopes that are applied to this access token |
token_type | Denotes the type of token provided. This value will always be "Bearer" but is included for completeness. This indicates that this token is meant to be included in the Authorization header using the bearer format. See RFC-6750 for more information on Bearer token usage in OAuth. |
Updated 2 days ago