Refresh token validity period

New post


1 comment

  • Rui Barbosa


    By default the access token lasts 60 minutes and the refresh token 60 days.

    Also by default when you use the refresh token to get a new access token, you also get a new refresh token. Refresh tokens are one single use only. This means your application should cache the new pair of tokens for future use.

    There is however an exception to his behavior to prevent a race condition in multi-threaded scenarios.

    In these scenarios it is possible that multiple threads request a new access token using the same refresh token. In this case the platform responds with the same pair of new access and refresh tokens, so you're safe.

    To your question, the refresh token is single usage, and your application should cache the new token pair, however if your application uses the same refresh token before it had a chance to cache the new ones, it will get the same new access and refresh token.

    Comment actions Permalink

Please sign in to leave a comment.