Why do I get the same account_id and refresh_token for different users?

By default when a user authorizes multiple calendar service accounts with your application the Cronofy API links those service accounts under one Cronofy account. This makes sense in production but can create some, on the face of it, odd behaviour in development.

This works by dropping a Cronofy cookie in the browser of the authorizing user so we can recognize when they return and login to additional calendar service accounts.

You can observe this behaviour by making a call to the /v1/account endpoint before and after authorizing a new calendar service. You’ll see that the account_id value remains the same.

To avoid this behaviour and generate a new Cronofy account for a new calendar service authorization, you have two options.

Incognito/Private browser window #

Whilst in development, use an incognito/private browser window when authorizing new users. This will allow you to mimic the real world experience of users.

Use the avoid_linking parameter #

When requesting authorization to a user’s calendar service account, you can pass avoid_linking=true as a query string parameter. This will force any cookies present to be ignored and a new account created.

    https://app.cronofy.com/oauth/authorize
    ?response_type=code
    &avoid_linking=true
    &client_id={CLIENT_ID}
    &redirect_uri={REDIRECT_URI}
    &scope={SCOPE}
    &state={STATE}

More information in the Request Authorization docs.

Once an calendar service account is linked under a Cronofy account neither of these options will remove that link. If you have calendar service accounts you’d like split just contact us with the email addresses associated with the calendar accounts and we can break the link for you.