Showing results for 
Search instead for 
Did you mean: 

how long does a refresh token last?

Mt. Kenya

I'm storing the refresh token for my session in a database and updating it everytime I update the access token. But the other day, my application was down for 60 hours and I was surprised to see that the refresh token still worked.

How long does it last?

Doesn't it defeat the whole purpose of having oauth2 in place if the refresh token can be stored this long?



There is no refresh_token reported life here , other than you "might" get a new one when you get a new access token. There is no standard per/se of how long a refresh token should last, we've seen forever as one option for other apps. It would stink if your app didn't run for 60 hours (which is very possible in a Zap's case), and then it could not run as you couldn't get a new token.

Another example: Microsoft's refresh token can last up to 90 days: