X (Twitter) — Token Refresh Failures

X's OAuth 2.0 implementation has well-documented, platform-side issues with refresh tokens that can cause users to be asked to reconnect their account. This page explains the issue, what Outstand does to handle it, and what you can do as a user.

How Outstand handles X tokens

Outstand's X integration follows X's OAuth 2.0 best practices:

1. We request the offline.access scope during authorization, which tells X to issue a refresh token alongside the access token.
2. We store both tokens (access token and refresh token) securely after the OAuth callback.
3. We automatically refresh tokens before every API call. If the access token is expired or about to expire, we exchange the refresh token for a new token pair — no user intervention required.

This is the correct implementation as described in X's official OAuth 2.0 documentation.

The platform-side problem

Despite correct implementation, X's OAuth 2.0 refresh tokens can become invalid unexpectedly. This is a known issue on X's platform and affects all integrations — not just Outstand.

Key behaviors reported by developers across the ecosystem:

• Refresh tokens are single-use and rotate on every refresh. Each time a refresh token is used, X issues a new access token and a new refresh token. The previous refresh token is immediately invalidated. If the new token fails to be stored (e.g., due to a transient network error), the connection is permanently broken.
• Refresh tokens expire randomly. Multiple developers report tokens being invalidated by X well before the documented 6-month lifetime, with no clear reason.
• The error is opaque. X returns "Value passed for the token was invalid" without explaining why the token was invalidated.

Public reports

These issues are widely reported in the X Developer Community and on GitHub:

• Refresh token expiring (with offline.access scope) — long-running thread with developers reporting refresh tokens becoming invalid despite correct usage.
• Refresh tokens randomly expiring — "Value passed for the token was invalid" — tokens invalidated without explanation, affecting some users but not others.
• Refresh token getting frequently expired — reports of tokens expiring far sooner than the documented 6-month lifetime.
• OAuth 2.0 refresh tokens not working — developers reporting the refresh flow failing intermittently.
• OAuth 2.0 refresh token failure continuing — ongoing reports of refresh failures across different apps and implementations.
• better-auth #2095 — X (Twitter) refreshAccessToken — GitHub issue on a popular auth library confirming the same problems.

What you can do

If a user's X connection stops working due to a token refresh failure:

1. Reconnect the account. This is currently the only reliable fix when X invalidates a refresh token. The user needs to go through the OAuth flow again to get a fresh token pair.
2. Check for app permission changes. If you changed permissions or scopes on your X Developer App, existing tokens may be revoked by X.
3. Verify your X app is active. Suspended or restricted X Developer Apps will have all tokens revoked.

Status

This is an ongoing platform-level issue on X's side. We continue to monitor for changes and will update our implementation if X resolves or changes their token refresh behavior.

If you are experiencing this issue, please contact support with the affected account details so we can investigate further.