When following the OAuth authentication documentation for Zoho CRM (here), I find that when calling the API to obtain a refresh token, the expires_in field returns the expiry time in milliseconds, not seconds as given in the OAuth2 specification. 

This is not an issue if manually or programatically handling tokens without a library, but when using an OAuth2 compliant client library, the expiry is calculated incorrectly due to the specific expires_in field not being in seconds. This can result in tokens being expired, but still appearing valid to libraries which use the expiry to calculate validity.