Envato Oauth new refresh token missing in Refresh token call.

I am using Envato API for generating Access token and refresh token. Maximum duration for access token is 1 hour, so after 1 hour I use the refresh token to generate a new access token.
Unfortunately, unlike standard oAuth, this time (refresh token api hit) we do not get a new refresh token and using the same refresh results in a 400 error.
So, I am forced to ask user to re-authenticate via Envato and get a new access token which is not the desired way to do this.
Is this a bug or you (envato) want us to ask users to re-authenticate users again and again ?

Consider Use Case : Theme Update in WP admin - Updates stop appearing after 2 hours. Theme updates happen over a period of time in days , weeks, months. I am storing the access token call in database. Now, when user opens WP admin - updates section he’s able to see the update once via refresh token, but tokens expire every hour. So, second time (after 1 hour) the refresh token does not generate a new access token and I have to ask user to go to Options panel to re-authenticate via Envato login as the updates have stopped appearing.

Kindly help.

Hi @VibeThemes

Opening a support ticket is the best way to get help with a problem with our systems. These forums are not monitored routinely and don’t allow for tracking the issue very well. Could you please open a ticket there? If you provide a link to this forum post the ticket should get routed to me quickly.

In the meantime, I’ll start looking at what’s happening here – that’s not expected behavior. I’ve just performed a full oauth session just now, and it worked as expected for me. The steps are described in the oauth documentation:

  1. Create new oauth app at build.envato.com
  2. Authenticate the user & grant access
  3. Exchange one-time code for an access token & refresh token pair
  4. Use access token to request a resource from the API
  5. Use refresh token to generate a new access token (pretending that the original access token has now expired)
  6. Use new access token to request a resource
    (repeat steps 5 and 6 as many times as is necessary)

The refresh token you receive in step 3 above never expires; it lasts for as long as the user continues to grant you access. The access token expires every hour, but you can use the refresh token to generate a new access token at any time. The user does not need to re-authenticate. Your implementation should be storing the refresh token, the access token, and the access token’s expiry time. When the access token has expired, you should generate a new access token and update your database with the new access token and expiry time.

If this is what you’re doing and it’s not working, please open a support request as mentioned above and provide further details of the failed request. It sounds like the step that’s not working is step 5, using the refresh token to get a new access token. Please provide the full HTTP transaction, including headers, for that step so I can further troubleshoot.


Thank you for the details. Yes, this is what I am doing. I will re-check and submit a support ticket soon.