Should the refresh token be the same for different installs


#1

I am integrating with Hubspot through a web application and I make a web request with the necessary data fields to get the oauth code,

Something like: https://app.hubspot.com/oauth/authorize?client_id=123&scope=contacts&redirect_uri=myurl.com

I then use the returned code to get the access token and refresh token, etc

What I am seeing is I have 2 different “accounts” - accounts in our separate web application, installed in the same Hubspot portal (one was uninstalled and then replaced by a fresh install) and both have the same refresh token

I think I know the answer but is this expected behaviour? Is it because the hubspot portal I am installing into and the install url are the same? So in reality the refresh token would be different?

Thanks,
Andrew


#2

Hi @andrewb,

If an integration is uninstalled from a portal, the refresh token is invalidated; if an integration is re-authed without being uninstalled, the refresh token remains valid (and remains the same). This means that if you go through the authentication twice without uninstalling the app, you’ll get the same refresh token. If you install, then uninstall, then reinstall the app, you should get two different refresh tokens.