How do you refresh OAuth tokens from the credentials feature outside of an automation block?

Question

Let's say my app is an integration with M365/Outlook and has a trigger "When email is flagged in Outlook"...

I need to create this automation block as a trigger with:

A subscribe URL - create the incoming webhook subscription from Outlook to listen to events
An unsubscribe URL - deletes the incoming webhook from Outlook

Both of these will use the credentials feature and monday will pass me a valid, but short lived access token for use with Microsoft 365.

Here's the hard part...

I also need to regularly update the Microsoft Graph to renew the webhook subscription (as mail subscriptions expire after 3 days)

This will need to be done with a monday-code cron job which:

requests a new access token from monday for the correct user
sends the webhook subscription renewal to Microsoft

In the old infra, we’d use a credentials field and handle the logic ourselves, in our app, but with the new infra, the credentials are stored by monday and are abstracted away completely.

👉 How do I request a new Microsoft access token from monday???
👉 Is this even possible?

dvdsmpsn · Answer

Just to add a running commentary to this, I opened a support ticket – #4919458 – and got the following response today:

Regarding the new apps framework infrastructure, the managed credentials feature is designed to deliver OAuth tokens strictly at runtime within the payload of execution blocks (such as actions or triggers). Currently, there is no native mechanism to programmatically pull or request these managed credentials from an isolated background context like a monday-code cron job.
To achieve your goal of renewing Microsoft Graph webhooks every 3 days via a scheduler, we recommend managing the token lifecycle manually within your background process. You can utilize monday-code Secure Storage to securely persist and handle your own OAuth tokens. Here is the approach:
When your integration block executes and receives the initial accessToken and refreshToken, securely store them and their expiry timestamps.

Structure your cron job endpoint to retrieve these tokens from Secure Storage, check the expiration, and programmatically call the Microsoft Graph refresh endpoint directly to handle the renewal.

This is the exact solution I used in the old automations infrastructure, when I had to do the token refresh myself and store it in SecureStorage.

The new workflow based infrastructure extracts that away and monday takes care of the access and refresh token.

I now do not have any eyes on the refresh token because monday never supplies me with that information.

The automation body is in the following format:

{
  "payload": {
    "blockKind": "action",
    "credentialsValues": {
      "microsoftToken": {
        "userCredentialsId": 37300,
        "accessToken": "...",
        "userCredentialsParams": {},
        "tokenRequestedParams": {}
      }
    },
    ...  
  },
  ...
}

As you can see, the refresh token and expiry are never received by the automation block, even after reauthenticating with the external system in the workflow/automation block.

So I cannot do this myself as monday does not allow it.

It would be great to know how monday achieves this, say for incoming Outlook emails using the workflow based infrastructure?

They must be doing something similar to keep the "email received" webhook alive for the built in automation blocks.

The saga continues.

Sign up

Login to monday.com

Scanning file for viruses.

This file cannot be downloaded