Does the Referesh Token ever expire

[diegocvazquez]

Hello everyone,

I have searched but I cannot find information about this, does the Referesh Token ever expire?

Regards,

[AmericanY]

@diegocvazquez seems you mix things out! also please consider checking the document before posting here as some of your asked questions is already addressed there. check

[diegocvazquez]

@AmericanY What makes you think that I am mixing things out? I know that the refreshtoken is used to obtain an access Token in fact I was able to Implement successfully the website workflow and pulled data successfully. In the mws api you need to authorize a developer every 12 months. I am asking If the refeshtoken obtained after the app authorization ever expires in a way that you need to authorize the app again. Do do you need to generate the access token after a long period of time or it can be used to obtain accessToken for ever. What does long-lived 1 month 1 year for ever? Regards

[charliecode]

@diegocvazquez Valid question as I do not recall "long-lived" being defined in the docs. I also couldn't find the question previously answered in the issues. However, it is indicated that the Login with Amazon authorization server is being used to attain the refresh_token. So, as long as the SP-API team did not change anything, a "long-lived" refresh_token is valid indefinitely according to the definition given in the Login with Amazon docs. I wouldn't take that as law until verification is given. Regardless, your question is great and indicates this would be another good addition to the docs, to make things clearer as they did in the LWA docs.

[diegocvazquez]

@charliecode the reason why I am asking this is, in order to be able to prioritize the implementation in our application of some kind of notificacion in the case that I am not able to get an accessToken from the refreshToke, because for example, it has expired, doesnt matter if it is 1 year or 6 months. I also think the question valid, pehaps I was not clear asking the question, english is not my mother language, I will read more in detail the Login with Amazon docs perhaps I find more information about this.

Thanks for your support

[charliecode]

@diegocvazquez Your English is great, your question was great and I really appreciate your contribution to the community! 🙌

[stefnats]

@diegocvazquez no difficulties understanding at all! Please let me/us know what you found out, i couldn't find it.

[Tomer781]

No activity on this issue for some time, but I think I have the answer for you guys.

Refresh tokens are valid indefinitely, unless the user has removed the website or mobile app from the list of allowed apps for their account.

Origin: https://developer.amazon.com/docs/login-with-amazon/refresh-token.html

It was said on LWA in general, but I think it's relevant for SP api, which uses LWA

[diegocvazquez]

@Tomer781 Well in that case I think it is clear now, will close this issue

[all-iver]

For anyone coming across this now, in Amazon's SP-API FAQ (https://developer-docs.amazon.com/sp-api/page/sp-api-general-faqs) it says:

The refresh token expires after one year. This is identical to MWS token expiration.

[jhhb]

Can anyone verify if the refresh token is refreshed according to any of these options below:

1. Does the refresh token become invalid one year from the time the refresh token was originally generated?

Or,

2. Does the refresh token become invalid when the application for which it was generated expires?

Or,

3. Does the refresh token become invalid 1 year after Amazon announced the 1-year expiry of refresh tokens,

Or,

4. Another option?

The difference between 1 and 2 is important for a developer application because in the case of (1), it's necessary for the developer application to update the refresh token on the server, whereas in the case of (2), it's not necessary to do so, and the same token can be used indefinitely, as long as the application is up to date and recently renewed by the selling partner.

Thanks for any help anyone can provide.

[haoxi911]

It has been a few years since this discussion. Could anyone confirm that SP-API's refresh token would expire in 1 year or not? I am building a public app for our customers, one of their refresh tokens is about to expire - if it will expire in 1 year.

[rugved1991]

Hi @haoxi911,

We recommend refreshing authorization once a year. If you do not refresh the tokens, we would revoke access to the token. Please work with your sellers to reauthorize your applications once a year. https://developer.amazonservices.com/april2022#sp-api-baselining-launch-announcement

Best, Rugved Solutions Architect, SP-API

[diegocvazquez]

@haoxi911 I can confirm this, after one year the token expires and you need to refresh it.

[haoxi911]

Thank you for confirming it! I have asked my customer to re-authorize the app.

In my use case, the refresh_token should have been expired 5 days ago, however it still works fine. I think Amazon might keep a refresh_token available for more than one year, though we should rotate it as a best practice.