Our scheduled dataflows between Integration Hub and a third-party analytics platform keep failing due to OAuth refresh token expiry. The dataflows run daily at 2 AM, but we’re seeing failures every 90 days when the refresh token expires. The initial OAuth setup works fine, but there’s no automated token renewal happening.
Here’s the error from the Integration Hub logs:
OAuth Error: refresh_token_expired
HTTP 401 Unauthorized
Token expired at: 2025-05-08T02:00:00Z
Data sync is completely halted until we manually reauthorize the connection, which is impacting our analytics reporting. I need to understand the OAuth token lifecycle in AEC 2023 and how to set up automated token renewal. Is there a configuration in Integration Hub that handles this automatically, or do we need custom logic?
You can use Integration Hub’s built-in scheduler for this. Create a new scheduled job with type “OAuth Token Refresh” and set it to run every 80 days. Point it to your connection ID and it will automatically request a new refresh token from the provider. Make sure your OAuth app with the third-party provider has the offline_access scope enabled, otherwise the provider won’t issue new refresh tokens.
You’re experiencing a common OAuth lifecycle management issue that requires addressing all three critical areas: token lifecycle understanding, automated renewal configuration, and Integration Hub setup.
OAuth Token Lifecycle in AEC 2023:
AEC 2023 uses a two-token OAuth 2.0 flow:
- Access Token: Short-lived (1 hour), used for API requests
- Refresh Token: Long-lived (90 days default), used to obtain new access tokens
The access token refresh happens automatically when enabled, but refresh token renewal requires proactive management because most OAuth providers don’t auto-renew refresh tokens - they expire absolutely after 90 days.
Automated Token Renewal Configuration:
Implement a three-tier renewal strategy:
- Enable Automatic Access Token Refresh:
Integration Hub > Connections > [Your Connection] > Authentication Settings
- Enable “Automatic Token Refresh”
- Set “Refresh Threshold” to 300 seconds (5 minutes before expiry)
- Configure Proactive Refresh Token Renewal:
// Pseudocode - Scheduled token renewal job:
1. Query OAuth connection for token expiry date
2. Calculate days until expiry: expiryDate - currentDate
3. If days < 10, trigger reauthorization workflow
4. Send notification to admin for manual approval
5. Upon approval, execute token refresh API call
Create scheduled job in Integration Hub:
- Job Type: Custom Script
- Schedule: Daily at 3 AM
- Script: Token Lifecycle Check (see above)
- Implement Refresh Token Rotation:
Some OAuth providers support refresh token rotation where each token refresh returns a NEW refresh token. Check your provider’s documentation and enable this if available. In Integration Hub config:
oauth.token.rotation.enabled=true
oauth.token.storage.mode=encrypted
oauth.token.rotation.grace_period=7d
Integration Hub Configuration:
Complete these configuration steps:
- Connection Settings Update:
Navigate to Integration Hub > Connections > [Analytics Platform Connection]
- Authentication Type: OAuth 2.0
- Token Endpoint: [Provider’s token URL]
- Scopes: Include
offline_access or equivalent for refresh token renewal
- Enable “Store Refresh Token Securely”
- Enable “Automatic Token Refresh”
- Create Token Monitoring Job:
Integration Hub > Scheduler > New Job
- Name: OAuth_Token_Monitor
- Type: System Maintenance
- Schedule: 0 3 * * * (Daily at 3 AM)
- Action: Check token expiry and alert if < 10 days remaining
- Configure Alert Rules:
Integration Hub > Alerts > New Rule
- Event: oauth.token.expiry.warning
- Condition: days_until_expiry <= 10
- Action: Email notification to integration team
- Recipients: data_integration_mgr@company.com
- Include: Connection name, expiry date, reauthorization link
- Set Up Fallback Mechanism:
Create a backup connection with separate OAuth credentials that activates automatically if primary token refresh fails. Configure in Integration Hub > Connections > Failover Settings.
Verification and Testing:
After configuration:
- Test access token refresh by waiting for expiry (or force it via API)
- Simulate refresh token expiry by temporarily invalidating it
- Verify alert notifications are sent correctly
- Confirm scheduled job runs and logs results
Best Practices for Long-Term Stability:
- Document the reauthorization process for emergency manual renewal
- Maintain a calendar reminder for manual check 5 days before 90-day mark
- Rotate OAuth client secrets annually
- Monitor Integration Hub logs daily for any authentication warnings
- Keep a test connection for validating OAuth flow changes
For AEC 2023, also enable the “OAuth Connection Health Check” feature introduced in version 2023.2, which proactively validates token status every 6 hours and logs any potential issues before they cause dataflow failures.
The 90-day refresh token expiry is common with many OAuth providers. You need to implement a token lifecycle management strategy. Set up a scheduled job that proactively refreshes the token every 80 days (before the 90-day expiry). Integration Hub in AEC 2023 has a Token Management API you can use to programmatically refresh tokens without manual intervention.
I found the “Enable Automatic Token Refresh” setting and it was disabled. I’ve enabled it now, but I’m concerned about the 90-day refresh token expiry. How do I set up the proactive refresh job you mentioned? Is this something I configure in the Integration Hub scheduler or does it require custom code?
Also important: configure notification alerts for token refresh failures. Go to Integration Hub > Alerts and set up an alert rule for “OAuth Token Refresh Failed” events. This way your team gets notified immediately if the automated renewal fails, giving you time to manually reauthorize before the dataflows start failing.
AEC 2023 Integration Hub does support automatic token renewal, but it needs to be explicitly enabled. Check your connection settings under Authentication Configuration. There should be a checkbox for “Enable Automatic Token Refresh” that triggers renewal when the access token expires (typically every hour). However, if your refresh token itself is expiring every 90 days, that’s a provider-side limitation.