Hi @RohitPatil,
Let me start with some context and general information which might add clarity to our documentation.
Since the recent introduction of rotating refresh tokens and the deprecation of persistent refresh tokens (which has been announced in 
Updated: 31 January 2022 - Action required - Deprecating persistent refresh tokens ), there are now two tokens:
-
access_tokenwhich expires after 1 hour -
refresh_tokenwhich can be used to retrieve a newaccess_tokenand a newrefresh_token. Therefresh_tokenis invalidated with everyhttps://auth.atlassian.com/oauth/tokenrequest.
Please note that each request to the https://auth.atlassian.com/oauth/token will generate a new refresh_token. This is the token that should be used to retrieve a new access_token. At the same time, each time a new request is performed the previous refresh_token will be invalidated and the app logic should save this value to be used the next time it’s needed.
The app will need to store each refresh_token and use that in a subsequent requests once the access_token expires.
The Inactivity Expiration (90 days) and Absolute Expiration (365 days) refer to a refresh_token. Regarding the Inactivity Expiration (90 days), this only applies if no new https://auth.atlassian.com/oauth/token request is performed. As soon as a request to obtain an access_token is sent, a new refresh_token token is generated and its inactivity expiry time is reset to 90 days. Any subsequent request will need to use the refresh_token generated when requesting the most recent access_token.
The Absolute Expiration (365 days) is not related to the user’s activity. This means that after the first refresh_token is generated, even if it keeps getting refreshed, the refresh_token expires after 365 days.
Hope this helps,
Caterina