Frequently asked questions


OAuth 2.0



  • When is OAuth 1.0a being deprecated?

    Here's what to expect with the move to OAuth 2.0:

    • 2nd December 2019: Developers will no longer be able to create new OAuth 1.0a apps
    • Mid-December 2019: A migration endpoint will be available allowing partner apps to seamlessly migrate existing connections to OAuth 2.0
    • December 2020: OAuth 1.0a will no longer be supported for any integrations


  • Is OAuth 2.0 recommended over OAuth 1.0a?

    We recommend creating OAuth 2.0 apps for all new integrations.



  • Is there an equivalent of two-legged private apps in OAuth 2.0?

    No, all users will follow the same OAuth 2.0 code flow. Once you have an access token and refresh token you can refresh indefinitely or until the token is revoked by the user.



  • What is the expiration for an access token?

    30 minutes.



  • What is the expiration for a refresh token?

    Refresh tokens expire once they’re used or after 30 days. If you don’t refresh your access token within 30 days the user will need to reauthorize your app.



  • What do I do if I can't refresh an access token?

    If you can’t refresh your access token you’ll need to send the user through the authorization flow again to get a code that can be exchanged for a new access and refresh token.



  • How should I handle callback failure?

    If the callback fails for any reason you will need to send the user through the auth flow again. If the user got as far as connecting their org the first time, it will show as already connectected the second time. They can continue to click through as normal to be redirected back to your app with a new code.



  • Will OAuth 2.0 support desktop/mobile/single-page apps that can’t keep a client secret confidential?

    At the moment, we require that your app can keep a client secret confidential. We are currently evaluating the PKCE extension to better support SPAs and mobile apps.