Hi @RohitPatil,
Let me start with some context and general information which might add clarity to our documentation.
Since the recent introduction of rotating refresh tokens and the deprecation of persistent refresh tokens (which has been announced in Updated: 31 January 2022 - Action required - Deprecating persistent refresh tokens ), there are now two tokens:
-
access_token
which expires after 1 hour -
refresh_token
which can be used to retrieve a newaccess_token
and a newrefresh_token
. Therefresh_token
is invalidated with everyhttps://auth.atlassian.com/oauth/token
request.
Please note that each request to the https://auth.atlassian.com/oauth/token
will generate a new refresh_token
. This is the token that should be used to retrieve a new access_token
. At the same time, each time a new request is performed the previous refresh_token
will be invalidated and the app logic should save this value to be used the next time it’s needed.
The app will need to store each refresh_token
and use that in a subsequent requests once the access_token
expires.
The Inactivity Expiration (90 days) and Absolute Expiration (365 days) refer to a refresh_token
. Regarding the Inactivity Expiration (90 days), this only applies if no new https://auth.atlassian.com/oauth/token
request is performed. As soon as a request to obtain an access_token
is sent, a new refresh_token
token is generated and its inactivity expiry time is reset to 90 days. Any subsequent request will need to use the refresh_token
generated when requesting the most recent access_token
.
The Absolute Expiration (365 days) is not related to the user’s activity. This means that after the first refresh_token
is generated, even if it keeps getting refreshed, the refresh_token
expires after 365 days.
Hope this helps,
Caterina