Refresh token expire after 36000 seconds

In my case, i can generate the refresh token and regenerate the refresh token as well.

But refresh token is having 3600 but document says it has 90days of validity.

After 3600 sec, refresh token is not generating with unauthorised client error code.

What i am missing here?

1 Like

Hi @RohitPatil,

Let me start with some context and general information which might add clarity to our documentation.

Since the recent introduction of rotating refresh tokens and the deprecation of persistent refresh tokens (which has been announced in Updated: 31 January 2022 - Action required - Deprecating persistent refresh tokens ), there are now two tokens:

  • access_token which expires after 1 hour
  • refresh_token which can be used to retrieve a new access_token and a new refresh_token . The refresh_token is invalidated with every request.

Please note that each request to the will generate a new refresh_token. This is the token that should be used to retrieve a new access_token. At the same time, each time a new request is performed the previous refresh_token will be invalidated and the app logic should save this value to be used the next time it’s needed.

The app will need to store each refresh_token and use that in a subsequent requests once the access_token expires.

The Inactivity Expiration (90 days) and Absolute Expiration (365 days) refer to a refresh_token. Regarding the Inactivity Expiration (90 days), this only applies if no new request is performed. As soon as a request to obtain an access_token is sent, a new refresh_token token is generated and its inactivity expiry time is reset to 90 days. Any subsequent request will need to use the refresh_token generated when requesting the most recent access_token.

The Absolute Expiration (365 days) is not related to the user’s activity. This means that after the first refresh_token is generated, even if it keeps getting refreshed, the refresh_token expires after 365 days.

Hope this helps,

Thank you for the detailed reply!

My problem is, that I can regenerate the refresh_token with the previous refresh token within an hour only after then it fails with

    "error": "unauthorized_client",
    "error_description": "refresh_token is invalid"

Do I need to enable rotation refresh_token from somewhere?

Here are the basic current flow of application

  1. After receiving the code from user consent, I am generating the access token where the grant type is authorization_code
  2. Then fetching the accessible-resources on the basis of the access_token that was received above.
  3. Generating again refresh_token where grant_type is refresh_token
  4. Storing these details for subsequent use.
1 Like

Hi @RohitPatil,
Let me ask you a few questions to better understand the scenario here:

From the provided screenshot, it looks like this is all working but I want to double check this anyway.

About this:

I can regenerate the refresh_token with the previous refresh token within an hour only after then it fails with

Are you 100% sure? Isn’t there maybe another process/thread attempting to regenerate the refresh_token causing the previous one to be invalidated? What if you don’t use the access_token at all, does anything change?

You are most likely already across this, but here is our documentation on this topic.


Hello @ccurti

Thank you for the quick reply!

Yes, the offline_access scope has been already added and I am receiving both access_token & refresh_token with 3600 expiry.

Yes, I am pretty 100% sure that no other process regenerating the token as this is POC I am creating for the owner.

1 Like

Hello everyone!

I created a new 3LO application 2 months ago and accordingly the instruction I implemented in my project.

Unfortunately, I have the same issue.
I can use the endpoint to rotate refresh_token many times with the same refresh_token.

@RohitPatil -Did you resolve this issue, I am also facing same problem. The refresh token expires in 1 hour

Same issue here.

Same here

@adrug16 @AjitPawar @DavidBroadhurst @YannickKonrad,

It looks like you are all new to the Atlassian developer community. Welcome!

I see that you seem to be facing the same problems with short refresh token expiration. While your subsequent request was relevant to the thread, we’re not getting new responses to your new issue. As such, I first recommend someone create a new post (in fact, I’m going to lock this one to avoid similar problems) with all the relevant details you can provide according to:

Even with that, OAuth problems are tricky because they involve secrets and often require Atlassians to go looking into specific logs to trace your requests for problems. As such, I would advise following up with our developer support where you can (and should) share your client ID & secret, along with any other details about the requests that would help us debug.