Menu
Each refresh token is valid for 14 days. Why do the refresh tokens expire?
451
Enter Inactivity Lifetime in seconds. If the refresh token is not exchanged within the specified interval, the refresh token expires and can no longer be used to get a new access token. The expiration period is renewed each time the refresh token is exchanged for a new access token within the interval.
The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
The Google Auth server issued Refresh tokens never expire — that's the whole point of the refresh tokens. The refresh token will expire (or I should say become unauthorized) when the user revokes access to your application.
The refresh token is used indefinitely, unless revoked by the user or Salesforce admin.
14 days was based on what is considered best practice in implementing OAuth2. See Why do access tokens expire? for a pretty comprehensive answer about why OAuth2 refresh tokens expire.
We are interested in hearing what number bigger than 14 would work for your application. We picked 14 days based on initial feedback, surveys from application developers, as well as looking at application logins by users. A high majority of users login with apps more often than every 14 days.
Can you explain your use case? What would be the ideal non-infinite refresh-interval that would give you a balance between peace-of-mind about security, and convenience
52
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
