refresh token expiration time

[AlbertHambardzumyan]

According to documentation we always should make use of the latest refresh token as previous refresh token has 24h expiration time

When you request a fresh access_token, always use the refresh token returned in the most recent token_endpoint response. Your previous refresh tokens expire 24 hours after you receive a new one.

Looks like this is not true, as using refreshUsingToken() api I'm getting the same refresh token in the response.

const token = await OauthClient.refreshUsingToken(token.refresh_token)

The difference between the previous token I had and the new one I got is

1. a) x_refresh_token_expires_in=8721385 (less than initial one 8726400 - 101 days)
2. b) access_token=...

which means the refresh token is not changed at all

[abisalehalliprasan]

@AlbertHambardzumyan :

Even though the refresh token is valid for 100 days, the value of refresh token can change every 24-26 hour period. Hence, you might encounter a situation where the request token that you received first is different than the latest one. As a best practice, always store the latest refresh token received from the API response and use that to make subsequent calls to obtain a new pair of tokens.

It does not necessarily change exactly at 24 hours. There is a window during which it changes. For more information you may read the section on our docs : Understand token expiration

[AlbertHambardzumyan]

@abisalehalliprasan Now it makes more sense.

This definitely should be added here Otherwise, as a SDK user you have some expectation that your refresh token should be changed in refreshUsingToken() call.

Agree?

[AlbertHambardzumyan]

Also, lets consider the following case

a) I obtain refresh and access tokens b) according to the above discussion, refresh token will change in 24h window.

Now let's assume I have not made any requests for 3 days. The refresh token will be changed ~3 times during this period.

Does it mean the refresh token obtained at step 1 is not valid after 3 days? Or that's still valid until I make a request after 3 days, and only after 24h from that point, the old one will expire.

[alexesca]

@AlbertHambardzumyan The refresh token is valid for 100 days. If you refresh the access_token, the previous refresh token is valid for 24 hrs and the new token is valid for 100 days. If you encrypt and store your refresh token in your database, you won't have to worry about it anymore bc you will always use the one you stored to refresh the access token. @abisalehalliprasan Helped me remember something I read but forgot. The refresh token changes, but it does not mean it changes every time we refresh the access token.