Refresh tokens and PKCE? | Community
Skip to main content

Refresh tokens and PKCE?

  • January 17, 2026
  • 3 replies
  • 0 views
D

We got the announcement that we need to implement refresh tokens for our app. I've been following along with https://support.zendesk.com/hc/en-us/articles/4408845965210-Using-OAuth-authentication-with-your-application and suddenly am confused. In the section “Refreshing an access token,” it defines the POST body, including

client_secret - Use the secret specified in the OAuth client in the Zendesk Admin Center (Apps and integrations > APIs > OAuth Clients). See Registering your application with Zendesk.

Have I misunderstood? Our app is PKCE and specifically shouldn't be passing the client_secret. How am I supposed to refresh the token without embedding the client secret in our browser JavaScript?

    3 replies

    Greg29
    • Greg29
    • January 20, 2026

    Hi Dru! Looks like we need to update those docs to include this information in both places, but if you're using PKCE, you don't have to pass the client_secret. You can see that here. I'll make sure that we get that info sorted shortly. 
     

    Let us know if you have any other questions and apologies for the headache!

    D
    • Dru11
    • Author
    • January 20, 2026

    Thank you for the information, Greg! Am I to understand, then, that in the case of a PKCE integration, we still need to do all of the refresh token things, it's just that when we request a refreshed token, we don't pass the `client_secret`, correct? 

    D
    • Dru11
    • Author
    • February 9, 2026

    Hi Greg, I thought I had replied but must have never hit send. Thanks for this information. I had to drop my work on getting this for another priority, but getting back into it. Thanks for that clarification, much appreciated! May I suggest another documentation update? This page under “Refreshing an access token” says

    grant_type - Specify the string "refresh token" as the value.

    I would request that you update that to say “refresh_token”, with an underscore, not a space. It shows an underscore in the example code below but I wasn't referencing that because I'm not writing in Python.

    Terms & ConditionsCookie settingsAccessibility statement