+ Start a Discussion

Access Token

Once you retrieve an access token using oauth, how long is it valid? Does it eventually expire?


Yes, the timeout value is configurable via a setting in the org.  Setup -> Administration Setup -> Security Controls -> Session Settings > Timeout value.


If you use the token continually it shouldn't expire.


I notice the longest Timeout value available is 8 hours.  Is there any plan to increase this?


Other OAuth token providers (twitter, facebook) support a much longer period of time and this is really handy - especially if the user doesn't access your app frequently.  E.g. the twitter client on my iPhone - I would stop using it if I had to log in every day!


When you are using OAuth with our service you get both a session token ( access_token ) and a long term token ( refersh_token ) which can be used to obtain new access_tokens from the token endpoint.    The easiest way to think of it is the refersh token is kind of like a password and the access token is kind of like a session cookie....you can use the referesh token to get new sessions.   The access tokens work like with the session settings.  Refresh tokens are long lived, but can be revoked.


Hope that helps.




So if I understand you correctly, I should use the following algorithm to give the appearance of a non-expiring token:



1. Do the dance

2. Acquire access and refresh tokens

3. Store the refresh token



1. Grab the refresh token

2. Make a call to get a new access token

3. Set the session ID to the access token

4. Make the WS call




1. Store the access token

2. Set the session ID to the access token

3. Attempt a WS call

4. On error, obtain a new access token and goto step 2.


Is this correct?





Yup - that's the general idea.


As your client starts a new session, use the refresh token to fetch and access token.   When the access token expires, throw it out and get a new one ( or if your client session ends, throw away the access token )


Think of it like a webbrowser using a password to get a session cookie.   Close the browser and you need to login again to get a new session cookie.

Shriya Gupta 7Shriya Gupta 7

@dkador You mentioned that "If you use the token continually it shouldn't expire." So does this mean even if i have set expiration time as 8 hrs for access token, it won't get expired as long as i am continually using it?

Right now what i am facing is, I have set expiration time as 8 hrs but i am able to use access token continuously since 3 days. What exaclty does this behavior mean?

Thank you in advance.

satyajeet vyassatyajeet vyas
I think it means if you dont use access token for 8 hours it will expire...gap shouldnt be more than 8 hours...am i right...?