Hello, fellow developers 
I wanted remind everyone to use the new access and refresh tokens immediately once you received them after rotating refresh token exchange. If you’re already doing this, feel free to skip this reminder.
What happens during a rotating refresh token exchange?
When you perform a rotating refresh token exchange, a new pair of tokens is generated: a new access token and refresh token. You should use the new tokens and discard the old ones.
Why can’t we use the old refresh and access?
After successful rotating refresh token exchange, the old access and refresh tokens will enter a 10-minutes grace period (leeway window) before they are marked as revoked. The 10-minutes grace period is set to allow multiple retries in case the client doesn’t get the new token pair. We have recently made the enforcement of this behavior stricter for all access tokens. The revocation ensures that any tokens tied to a compromised or revoked refresh tokens are also invalidated.
Key points
- Companion tokens: the access token and refresh created together in the same request are linked. If the refresh token is revoked, the matching access token will also be revoked.
- Grace period (leeway window): There is a 10-minutes leeway window after the rotating refresh token exchange where old access token and refresh token are still valid. This mechanism to used to allow retries if the developers fail to receive the new token pair.
- Use new tokens Immediately: Please make sure to use the new access token as soon as you receive it to access protected resources. The actual revocation time of an access token may be earlier than the expiration time shown in the exp field if the companion refresh token is used to exchange another token pair.
If you have any questions or need further clarification, feel free to reach out. We’re here to help!