Skip to content

feat(sentry apps): Update the refresh token docs to have manual refresh #15390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 11, 2025
Merged

feat(sentry apps): Update the refresh token docs to have manual refresh #15390

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5c56a3f
update the refresh token docs to have manual refresh
Christinarlong Nov 3, 2025
ecf6789
fix sentry comments
Christinarlong Nov 3, 2025
2fce210
update headers
Christinarlong Nov 3, 2025
5963c38
Merge branch 'master' into crl/update-docs-for-token-refresh
cleptric Nov 4, 2025
9394e13
nits
Christinarlong Nov 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 45 additions & 1 deletion docs/organization/integrations/integration-platform/public-integration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ All public integrations can be installed via a fixed external url: `https://sent
Public integrations generate [authentication tokens](/organization/integrations/integration-platform/#auth-tokens) after a successful [OAuth installation](#oauth-process).
These tokens automatically expire every eight hours, meaning they must be refreshed manually.

### Refreshing Tokens
### Refreshing Tokens via Refresh Token (preferred)

In the initial installation, you'll need the grant code given to you in either the installation webhook request or the redirect URL, in addition to your integration's client ID and client Secret:

Expand Down Expand Up @@ -108,6 +108,50 @@ def refresh_token(install_id):
return new_token
```

### Refreshing Tokens Manually for Integrators
Sometimes technical anomalies can lead to token refreshing being committed on the Sentry side but then the token is lost in transmission on the way back. As a result, we've added a method for integrators to explicitly refresh and request a new token for their installers.

This manual refresh method uses a different authorization scheme where you will need to send a JWT signed with your client secret to the previous
Copy link
Member

@sentaur-athena sentaur-athena Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason for someone not to use this every time to get a refresh token? I mean should we recommend that instead of asking them to refresh after fail?

Copy link
Contributor Author

@Christinarlong Christinarlong Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I thought about this for a bit and I'm not sure tbh, I assume refresh tokens are preffered but yeah this feature does basically the same thing. I'll ask security.

Copy link
Contributor Author

@Christinarlong Christinarlong Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Michelle and I poked into this a bit and it looks like for the Oauth 2.1 spec it's required to have the refresh_token and authorizations grant so we should keep those and have those as preferred. It seems like it would be preferable to move toward the client secret JWT method for authentication as a future TODO. I will mark the refresh_token grant_type/method as preferred.

`/api/0/sentry-app-installations/{}/authorizations/` endpoint with the below claims and payload.

```python
def manual_token_refresh(install_id):
url = u'https://sentry.io/api/0/sentry-app-installations/{}/authorizations/'
url = url.format(install_id)

now = datetime.now(timezone.utc).timestamp()
client_secret = "XXXX-XXXX-XXXX"
client_id = "1234-5678-9999"
iat = now
exp = now + 60 # 1 minute validity period

claims = {
'iss': client_id,
'sub': client_id,
'iat': iat,
'exp': exp,
'jti': str(uuid.uuid4()),
}
jwt_token = jwt.encode(claims, client_secret, algorithm="HS256")

headers = {
'Authorization': f'Bearer {jwt_token}',
'Content-Type': 'application/json'
}
payload = {
'grant_type': 'urn:sentry:params:oauth:grant-type:jwt-bearer',
}

resp = requests.post(url, json=payload, headers=headers)
data = resp.json()

new_token = data['token']
new_refresh_token = data['refreshToken']
# ... Securely update the token and refresh_token in DB...

return new_token
```

The data you can expect back for both the initial grant code exchange and subsequent token refreshes is as follows:

```json
Expand Down
Loading