Token Lifetimes
This page outlines the lifetimes of various issued tokens. Note that any access_token will be issued with an iat claim denoting when it was issued, and an exp claim denoting the expiry time (Both Unix Timestamps), which can be inspected in your application to re-authorize proactively and avoid request failures.
Attempting to access an Api with an expired token will result in an HTTP 403 (Forbidden) response.
Authorization Code Flow (Interactive)
During the Authorization Code flow, if a scope of offline_access is requested, a refresh_token will be issued. This can then be used to procure a new access_token on the user’s behalf via the backchannel. The new token will be representative of the original with updated expiry times, and will be accompanied with a new refresh_token. Note that the refresh_token is single-use.
|
|
3600 seconds (1 hour) |
|---|---|
|
|
30 Days |
Client Credentials Flow (Machine-To-Machine)
Since authorization requires no user interaction for the Client Credentials flow, no refresh_token is issued and it is expected that the flow should be performed again when the token is expired.
|
|
3600 seconds (1 hour) |
|---|---|
|
|
N/A |
