Can refresh tokens expire?


#1

Hi,

This is a question to which I cannot find an answer in the docs and no one appears to have asked yet. I’m trying to make an app that feeds billing data from another source into a new draft invoice in FreeAgent. I don’t want this to be web facing, I want it to be a node microservice just sitting on a server somewhere generating invoices on a schedule. I can authorise my app with a system user added to our FreeAgent account, then I get a refresh token - I can do this via the Google developer playground - but what’s not clear to me is if this refresh token will ever expire?

From reading around, it’s possible refresh tokens will expire, but it depends on the OAuth2 server and how it’s set up. I’m just wondering if:

  1. there is an expiry of refresh tokens; and
  2. if so, how long they live for.

Thanks,

Greg


#2

Refresh tokens never expire. Access tokens expire after 1 week. You can always get a new access token with your refresh token.


#3

Brilliant, thanks Andrew. That’s all I needed to know. :slight_smile:


#4

Hi Andrew,

I’m getting some strange results here in production. It seems the access tokens expire after 24 hours, not 1 week - but also, a refresh token I extracted a few weeks ago no longer seems valid. The response from the API is as follows:

StatusCodeError: 401 - 
{
  "errors":{
    "error":{
      "message":"Access token not recognised"
    }
  }
}

This has always worked in dev, it worked initially in testing live, but now live won’t accept any access tokens or refresh tokens. I fired up my dev VM and ran the code against your sandbox API again, no problem. Even though it’s not been refreshed for a while, the app managed to refresh the access token and generate invoices. But on live I created a brand new refresh token and it still isn’t accepted.

Looks like there’s quite a big difference between the behaviour of OAuth on live and on dev? Any light you can shed?

Thanks,

Greg


#5

Hi Greg,

That’s weird; for me the production access tokens last for a week. I haven’t tried to get a brand new refresh token for a few weeks but it certainly worked last time I tried.

By the way, I use FreeAgent’s API and have written a Ruby client for it, but I don’t work for FreeAgent :wink: Hopefully somebody who does can chime in.

Yours,
Andrew


#6

Ahh, good job you clarified. Thanks! Yes, I managed to make it work with curl, so it’s a total mystery as to why the same nodejs code works in dev but not in live! I’ll keep digging…

Thanks!

Edit: stupid mistake on my part, and an unhelpful error message from the API. There was no access code because my app couldn’t save it due to a local authentication issue. And the feedback from the API sent me off down a bad track. Sorted now!