When to refresh an access token?

SOLVED
Go to solution
ChrisF4360
Frequent Participant

Hi all,

 

According to the docs, An access token, if not used, will expire in 24 hours.  In addition, according to information from CC staff here in the forum, an access token will expire two hours after it has been used.

 

So how often should my application refresh the access token?

 

It doesn't seem reliable (or performant) to refresh an access token before each API call so I'm assuming most folks setup a refresh token script which runs automatically on a set schedule (such as a cron job).  Am I right in this?  If that's the case, how often do you run the script, every hour?

 

Please advise.

1 ACCEPTED SOLUTION
ChrisF4360
Frequent Participant

In an effort to be helpful I'll document my findings here.

 

Access tokens do not expire two hours after they're used. Access tokens expire in 24 hours and I suppose that is that.  I successfully used the same access token for API calls multiple times well over two hours without ever refreshing it.

 

So when (and how) should you refresh access tokens?

 

You could check if the access token is expired and refresh it (if need be) every time you make an API call. That could work, but you could potentially run into a situation where the refresh token actually expires.  If that happens your API call will fail and you'll need to request authorization again to get new tokens.  Refresh tokens expire after 180 days. That's a lot of time, but imagine you build a simple email opt-in form that uses the API to add contacts.  Say that's on a website that doesn't get much traffic.  180 days could pass without a single user filling out the optin form.  That piece of functionality will no longer work and you probably won't know about it.

 

Because the refresh tokens expire, the safest bet is to schedule a task (cron job) to run a script that will refresh the access token say every 12 hours. 

 

I hope others find this helpful. 

View solution in original post

1 REPLY 1
ChrisF4360
Frequent Participant

In an effort to be helpful I'll document my findings here.

 

Access tokens do not expire two hours after they're used. Access tokens expire in 24 hours and I suppose that is that.  I successfully used the same access token for API calls multiple times well over two hours without ever refreshing it.

 

So when (and how) should you refresh access tokens?

 

You could check if the access token is expired and refresh it (if need be) every time you make an API call. That could work, but you could potentially run into a situation where the refresh token actually expires.  If that happens your API call will fail and you'll need to request authorization again to get new tokens.  Refresh tokens expire after 180 days. That's a lot of time, but imagine you build a simple email opt-in form that uses the API to add contacts.  Say that's on a website that doesn't get much traffic.  180 days could pass without a single user filling out the optin form.  That piece of functionality will no longer work and you probably won't know about it.

 

Because the refresh tokens expire, the safest bet is to schedule a task (cron job) to run a script that will refresh the access token say every 12 hours. 

 

I hope others find this helpful.