Share via

Why does the Bing Webmaster Tools OAuth refresh token expire within hours even when refreshed correctly?

Deca Dence 0 Reputation points
2025-10-13T16:33:49.2966667+00:00

Hello,

I’m integrating Bing Webmaster Tools via OAuth and have run into a recurrent issue with refresh tokens. The integration follows Microsoft’s documentation:

  1. We request an authorization code with the webmaster.read webmaster.manage scopes.
  2. We exchange the code at https://www.bing.com/webmasters/oauth/token.
  3. We store the returned access token, refresh token, and expires_in value.
  4. Whenever the access token is close to expiry, we call the same token endpoint with grant_type=refresh_token, pass the most recent refresh token, and immediately replace the old refresh token with the new one returned by Bing (as the docs instruct).

Despite this, the refresh token becomes invalid within 6–12 hours. Our logs show the first refresh succeeding (we receive a brand-new refresh token), but any subsequent refresh attempts later in the day fail with invalid_grant, forcing a complete reauthorization.

Could you clarify under what conditions a newly issued refresh token would be revoked so quickly, and whether there’s a recommended pattern to keep the connection alive without asking users to reauthorize every morning?

Thanks in advance.

Bing | Bing Webmaster Tools
Bing | Bing Webmaster Tools
A Microsoft service that provides website owners with tools to monitor, analyze, and optimize their site's performance in Bing search results.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Richard Trinidad 6,040 Reputation points Independent Advisor
    2025-10-13T17:28:02.5633333+00:00

    Hi Deca, Thanks for posting here in Microsoft community, this issue with Bing Webmaster Tools OAuth refresh tokens expiring quickly even when refreshed correctly is likely due to refresh token rotation, each refresh token is single use. once you use it, it’s invalidated and replaced with a new one, if you accidentally reuse an old token (even once), it triggers an invalid_grant error, Microsoft enforces this strictly to prevent security issues like replay attacks.

    This might cause by race conditions, Multiple processes trying to refresh at the same time and token not saved properly, If the new refresh token isn’t stored immediately, your app might keep using the old one.

    The best way is always storing the new refresh token right after a successful refresh and use a lock or mutex to prevent concurrent refresh attempts, if a refresh fails with invalid_grant, prompt the user to reauthorize.

    To keep the connection alive without daily reauth, make sure your app handles token rotation carefully and avoids reusing old tokens.

    I hope this helps you. Let me know if you need more help.

    Chard

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.