OAuth2 token lifetime/expiration clarification

https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html#OAuthonBitbucketCloud-Refreshtokens claims that access tokens expire in 1 hour after which you will get HTTP 401s (which tell you that you need to run the refresh flow).

This is at odds with the expires_in value I get back from the access_token endpoint when the grant_type is set to refresh_token.

    "access_token": "my-new-token",
    "scopes": "my scopes here",
    "expires_in": 7200,
    "refresh_token": "my-refresh-token",
    "token_type": "bearer"

No matter how I look at it I cannot figure out how 7200 == 1 hour.

In fact 7200 / 60 (seconds) = 2 hours so do they live for 2 hours?

What am I misunderstanding here?

Is the documentation outdated?

1 Like

Hi Taryn. I work on the Bitbucket Cloud team. You are correct, we recently changed the lifetime of those tokens to be 2 hours, and obviously forgot to update these docs to reflect that change. I went ahead and fixed up the page so that it says 2 hours now. Thanks for letting us know.

1 Like