refresh_token which can be used to retrieve a new access_token and a new refresh_token . The refresh_token is invalidated with every https://auth.atlassian.com/oauth/token request.
Please note that each request to the https://auth.atlassian.com/oauth/token will generate a new refresh_token. This is the token that should be used to retrieve a new access_token. At the same time, each time a new request is performed the previous refresh_token will be invalidated and the app logic should save this value to be used the next time it’s needed.
The app will need to store each refresh_token and use that in a subsequent requests once the access_token expires.
The Inactivity Expiration (90 days) and Absolute Expiration (365 days) refer to a refresh_token. Regarding the Inactivity Expiration (90 days), this only applies if no new https://auth.atlassian.com/oauth/token request is performed. As soon as a request to obtain an access_token is sent, a new refresh_token token is generated and its inactivity expiry time is reset to 90 days. Any subsequent request will need to use the refresh_token generated when requesting the most recent access_token.
The Absolute Expiration (365 days) is not related to the user’s activity. This means that after the first refresh_token is generated, even if it keeps getting refreshed, the refresh_token expires after 365 days.
From the provided screenshot, it looks like this is all working but I want to double check this anyway.
I can regenerate the refresh_token with the previous refresh token within an hour only after then it fails with
Are you 100% sure? Isn’t there maybe another process/thread attempting to regenerate the refresh_token causing the previous one to be invalidated? What if you don’t use the access_token at all, does anything change?
You are most likely already across this, but here is our documentation on this topic.
It looks like you are all new to the Atlassian developer community. Welcome!
I see that you seem to be facing the same problems with short refresh token expiration. While your subsequent request was relevant to the thread, we’re not getting new responses to your new issue. As such, I first recommend someone create a new post (in fact, I’m going to lock this one to avoid similar problems) with all the relevant details you can provide according to:
Even with that, OAuth problems are tricky because they involve secrets and often require Atlassians to go looking into specific logs to trace your requests for problems. As such, I would advise following up with our developer support where you can (and should) share your client ID & secret, along with any other details about the requests that would help us debug.