Starting November 14, 2017, when an authorization code is used to generate access tokens twice, then all access tokens and refresht okens resulting from that authorization code will be revoked. We do not expect this change to affect any integrations but wanted to make everyone aware of the update.
Currently authorization codes can only be used once and must be used within 10 minutes of being generated.
With this update that will continue to be true but, in addition, if anyone attempts to exchange an authorization code a second time the access token generated with the first exchange will be revoked. This change brings us in line with the OAuth framework guidelines. We do not expect this change to break anything as authorization codes should not be exchanged more than once. If you are concerned this change has impacted your integration please let us know.