Child Item

Migrating to short-lived access tokens

Hi there,

I want to switch from the depricated long-lived tokens to short-lived access tokens for an application that uses offline access. The old token flow didn't have a refresh token generated. Is it possible to get an refresh token for those old tokens (once) so I can migrate the application to the new short-lived tokens with refresh token without requiring all users to re-authorize?

Thanks!

Find more posts tagged with

API

Abuse

Accepted answers

Greg-DB

No, we don't have a way to get refresh tokens for existing long-lived access tokens. However, while long-lived access tokens are now considered deprecated, but we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, your existing users can continue using their existing long-lived access token(s) and you don't have to force them to re-authorize the app if you don't want to.

All comments

Greg-DB

De L.1

Thanks for your quick reply!

I understand that there are no plans yet to disable the old tokens, but I assume that this will happen at some point. But it is good to know that I don't need to force the users at this moment. However, as the short-lived tokens with refresh token add an additional level of security, I will have to migrate anyway (at least for new authorizations).

pallavipersistent

Hi ,

Is there any error that will be thrown when long lived access token get deprecated? we are shifting our nodejs application where long lived access token accounts will start giving a deprecation error once announced.
Just wanted to heads up on the error priorly so that we can handle them.

pallavipersistent

Is there any expiry to refresh token?Please let us know.

De L.1

OAuth 2 refresh tokens will not expire by themselves. See @Greg-DB answer in this topic.
Perhaps a good idea to mention this clearly in the documentation.

Greg-DB

Thanks! That's correct, refresh tokens don't expire by themselves (though the user or app can revoke them on demand of course). I'll ask the team to more clearly document this.

Anyway, long-lived access tokens are now considered "deprecated", but they will continue operating as they do currently. We'll make an announcement with details if/when that will change.