Superseded: 31 January 2022 - Action required - Deprecating persistent refresh tokens


Maybe I can simplify my line of questions using the Auth0 rotating refresh token behavior, outlined here.

Auth0 has refresh tokens and refresh token families, where a refresh token family is the chain of rotating refresh tokens issued after a user completes the OAuth2 flow. Auth0 states: The lifetime does not extend when tokens are rotated.

This means that the expiration applies to the family, not individual refresh tokens. Is this the case with Atlassian? If so, this means that when using rotating refresh tokens, with offline access, you require a user to re-initiate the OAuth2 flow every 30 days, correct?


1 Like