OAuth Notification Callback returns empty auth_code

We have been experiencing sporadic drops in our user sessions. We have identified this occurrence to the refreshing our access_token. Below is a a sample payload of what our service receives from Tyk on token refresh:

  "auth_code": "",
  "new_oauth_token": "shhh",
  "refresh_token": "shhh",
  "old_refresh_token": "shhh",
  "notification_type": "refresh"

Any reason as to why Tyk would ever return an empty auth_code?

Tyk info:

  • Version: v1.9.1
  • Binary: tyk-linux-amd64-

API info:

    "use_oauth2": true,
    "oauth_meta": {
        "allowed_access_types": [
        "allowed_authorize_types": [
        "auth_login_redirect": "http://our_service/login"
    "auth": {
        "use_param": false,
        "use_cookie": false,
        "auth_header_name": "Authorization"
    "use_basic_auth": false,
    "enable_jwt": false,
    "jwt_signing_method": "",
    "notifications": {
        "shared_secret": "shhh",
        "oauth_on_keychange_url": "http://our_service/token/"

This looks correct, you are getting a refresh notification and we index based on the refresh token, so you have:

  1. The new access token (no auth code because that’s not how refresh requests work)
  2. The refresh token used to get a new token
  3. The new refresh token to index for when they refresh again

Basically, the client is using the refresh token to generate a new access token, not an auth code - with a refresh request you don’t get a new auth code, you just get an access token.

Only the first auth request will generate an auth_code, but it will get used up as soon as the the client generates its access token and gets a refresh token back, after that it just uses the refresh token.

(Hope that makes sense!)

Thanks for the Response Martin.

If there’s no AuthCode, does that mean the RefreshToken is used as the session identifier and not the authcode ?

The auth code is used in the first interaction, this, when used, generates an access token, the access token is he session identifier.

When the refresh is used, a new access token is generated and hat becomes the session identifier.

To track it back to an identity you will need to track the auth and refresh codes as the notifications come in since the tokens themselves are never re-sent when a session is refreshed.