Kit · n7studios · Nov 26, 2025 · Nov 25, 2025 · Nov 25, 2025
diff --git a/includes/class-convertkit-settings.php b/includes/class-convertkit-settings.php
@@ -45,14 +45,6 @@ public function __construct() {
 			$this->settings = array_merge( $this->get_defaults(), $settings );
 		}
 
-		// Update Access Token when refreshed by the API class.
-		add_action( 'convertkit_api_get_access_token', array( $this, 'update_credentials' ), 10, 2 );
-		add_action( 'convertkit_api_refresh_token', array( $this, 'update_credentials' ), 10, 2 );
-
-		// Delete credentials if the API class uses a invalid access token.
-		// This prevents the Plugin making repetitive API requests that will 401.
-		add_action( 'convertkit_api_access_token_invalid', array( $this, 'maybe_delete_credentials' ), 10, 2 );
-
 	}
 
 	/**
@@ -183,6 +175,9 @@ public function has_api_key_and_secret() {
 	 */
 	public function get_access_token() {
 
+		// Reload settings from options table, to ensure we have the latest tokens.
+		$this->refresh_settings();
+
 		// Return Access Token from settings.
 		return $this->settings['access_token'];
 
@@ -210,6 +205,9 @@ public function has_access_token() {
 	 */
 	public function get_refresh_token() {
 
+		// Reload settings from options table, to ensure we have the latest tokens.
+		$this->refresh_settings();
+
 		// Return Refresh Token from settings.
 		return $this->settings['refresh_token'];
 
@@ -622,16 +620,9 @@ public function get_defaults() {
 	 *
 	 * @since   2.8.3
 	 *
-	 * @param   array  $result      New Access Token, Refresh Token and Expiry.
-	 * @param   string $client_id   OAuth Client ID used for the Access and Refresh Tokens.
+	 * @param   array $result      New Access Token, Refresh Token and Expiry.
 	 */
-	public function update_credentials( $result, $client_id ) {
-
-		// Don't save these credentials if they're not for this Client ID.
-		// They're for another Kit Plugin that uses OAuth.
-		if ( $client_id !== CONVERTKIT_OAUTH_CLIENT_ID ) {
-			return;
-		}
+	public function update_credentials( $result ) {
 
 		// Remove any existing persistent notice.
 		WP_ConvertKit()->get_class( 'admin_notices' )->delete( 'authorization_failed' );
@@ -652,34 +643,6 @@ public function update_credentials( $result, $client_id ) {
 
 	}
 
-	/**
-	 * Deletes the stored access token, refresh token and its expiry from the Plugin settings,
-	 * and clears any existing scheduled WordPress Cron event to refresh the token on expiry,
-	 * when either:
-	 * - The access token is invalid
-	 * - The access token expired, and refreshing failed
-	 *
-	 * @since   3.1.0
-	 *
-	 * @param   WP_Error $result      Error result.
-	 * @param   string   $client_id   OAuth Client ID used for the Access and Refresh Tokens.
-	 */
-	public function maybe_delete_credentials( $result, $client_id ) {
-
-		// Don't delete these credentials if they're not for this Client ID.
-		// They're for another Kit Plugin that uses OAuth.
-		if ( $client_id !== CONVERTKIT_OAUTH_CLIENT_ID ) {
-			return;
-		}
-
-		// Persist an error notice in the WordPress Administration until the user fixes the problem.
-		WP_ConvertKit()->get_class( 'admin_notices' )->add( 'authorization_failed' );
-
-		// Delete the credentials from the Plugin settings.
-		$this->delete_credentials();
-
-	}
-
 	/**
 	 * Deletes any existing access token, refresh token and its expiry from the Plugin settings,
 	 * and clears any existing scheduled WordPress Cron event to refresh the token on expiry.
@@ -713,7 +676,25 @@ public function save( $settings ) {
 		update_option( self::SETTINGS_NAME, array_merge( $this->get(), $settings ) );
 
 		// Reload settings in class, to reflect changes.
-		$this->settings = get_option( self::SETTINGS_NAME );
+		$this->refresh_settings();
+
+	}
+
+	/**
+	 * Reloads settings from the options table so this instance has the latest values.
+	 *
+	 * @since  3.1.1
+	 */
+	private function refresh_settings() {
+
+		$settings = get_option( self::SETTINGS_NAME );
+
+		if ( ! $settings ) {
+			$this->settings = $this->get_defaults();
+			return;
+		}
+
+		$this->settings = array_merge( $this->get_defaults(), $settings );
 
 	}
 

diff --git a/includes/functions.php b/includes/functions.php
@@ -690,3 +690,61 @@ function convertkit_kses_allowed_html() {
 	return array_merge( $elements, $form_elements );
 
 }
+
+/**
+ * Saves the new access token, refresh token and its expiry, and schedules
+ * a WordPress Cron event to refresh the token on expiry.
+ *
+ * @since   3.1.1
+ *
+ * @param   array  $result      New Access Token, Refresh Token and Expiry.
+ * @param   string $client_id   OAuth Client ID used for the Access and Refresh Tokens.
+ */
+function convertkit_maybe_update_credentials( $result, $client_id ) {
+
+	// Don't save these credentials if they're not for this Client ID.
+	// They're for another Kit Plugin that uses OAuth.
+	if ( $client_id !== CONVERTKIT_OAUTH_CLIENT_ID ) {
+		return;
+	}
+
+	$settings = new ConvertKit_Settings();
+	$settings->update_credentials( $result );
+
+}
+
+/**
+ * Deletes the stored access token, refresh token and its expiry from the Plugin settings,
+ * and clears any existing scheduled WordPress Cron event to refresh the token on expiry,
+ * when either:
+ * - The access token is invalid
+ * - The access token expired, and refreshing failed
+ *
+ * @since   3.1.1
+ *
+ * @param   WP_Error $result      Error result.
+ * @param   string   $client_id   OAuth Client ID used for the Access and Refresh Tokens.
+ */
+function convertkit_maybe_delete_credentials( $result, $client_id ) {
+
+	// Don't save these credentials if they're not for this Client ID.
+	// They're for another Kit Plugin that uses OAuth.
+	if ( $client_id !== CONVERTKIT_OAUTH_CLIENT_ID ) {
+		return;
+	}
+
+	// Persist an error notice in the WordPress Administration until the user fixes the problem.
+	WP_ConvertKit()->get_class( 'admin_notices' )->add( 'authorization_failed' );
+
+	$settings = new ConvertKit_Settings();
+	$settings->delete_credentials();
+
+}
+
+// Update Access Token when refreshed by the API class.
+add_action( 'convertkit_api_get_access_token', 'convertkit_maybe_update_credentials', 10, 2 );
+add_action( 'convertkit_api_refresh_token', 'convertkit_maybe_update_credentials', 10, 2 );
+
+// Delete credentials if the API class uses a invalid access token.
+// This prevents the Plugin making repetitive API requests that will 401.
+add_action( 'convertkit_api_access_token_invalid', 'convertkit_maybe_delete_credentials', 10, 2 );