Help Wizard

Step 1



Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...


Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...


Why am I getting a new refresh_token when I request a refreshed access token?

Why am I getting a new refresh_token when I request a refreshed access token?

I am use the authorization code flow for authentication with my app. When my access_token is about to expire and I request a new one using my refresh_token, Spotify does the request but also provides me a new refresh_token and invalidates my previous one.


I am following the flow described here:

Step 4 indicates that the response will be the following: 

   "access_token": "NgA6ZcYI...ixn8bUQ",
   "token_type": "Bearer",
   "scope": "user-read-private user-read-email",
   "expires_in": 3600

However, I get the following response: 





{ access_token:"BQA...GWU",
  token_type: 'Bearer',
  expires_in: 3600,
   'playlist-read-private playlist-read-collaborative user-follow-read playlist-modify-private user-read-email user-read-private app-remote-control user-follow-modify user-modify-playback-state user-library-read user-library-modify playlist-modify-public user-read-playback-state user-read-currently-playing user-read-recently-played user-top-read' }




Note the "refresh_token" in the response. 

3 Replies

Interesting, what language are you using? I am also having issues with my tokens in Swift, but I can't even get a return :/... When using the cURL command I can get a proper refresh token, but not when I request in Swift. (I am fairly new to using API's so my code might just be poor)

Honestly, I think they implemented this incorrectly and didn't understand the protocol. The whole point of oauth2 is that the refresh token is only revoked if the user removes access from the app. With spotify you do this here:


It is really weird that you new refresh tokens every time. If someone would intercept the refresh token they could in theory use it for a long time! 

Old thread, but just wanted to clarify that a service can (optionally) send a new refresh token when the existing one is redeemed by a client.  See


Any intercept risk is mitigated by the service also checking for Client Authentication.

Suggested posts