'Parse companyId and userId from the refresh token' , Is that OK?

I found that, refresh token gotten by oauth contains companyId and userId.
for example, "refresh_token": "12257221:12868499:e9faxxxxxxxxxxx9e5" .
So I use the refresh_token to extract companyId and userId instead of calling the ‘/user/me’ api so that I can save one api call.
My question is: this this approach is ok and will work in the future? Or refresh_token’s generation rule will not change in the future?
Please correct me If I’m wrong.


We do not recommend this approach. Best practice would be to treat all oauth tokens as opaque from the client side. We don’t have any plans on changing the format of the refresh token but we don’t guarantee that the format stays the same in the long run.

Kind regards,


Thanks for your reply.