Token Validity
Grant Token (Authorization code)
- Grant token is a one-time use token and valid for two minutes, by default. If you want to extend the expiry time, choose the required time from the drop-down while generating the token from the developer console (applicable only to self-clients).
- You can generate a maximum of 10 grant tokens in a span of 10 minutes per client ID.
Access Token
- Each access token is valid for one hour.
Refresh Token
- Refresh tokens do not expire until a user revokes them.
- You can generate a maximum of 10 access tokens from a refresh token in a span of 10 minutes.
- You can generate a maximum of 20 refresh tokens in a span of 10 minutes per client ID.
- When you generate the 21st refresh token, the first created refresh token gets deleted.
- When you generate an access token using a revoked refresh token, the system returns the "invalid_code" error.
- When you revoke a refresh token, all the access tokens you generated with that refresh token also become invalid. When you use any of these access tokens in an API call, the system returns the "invalid_token" error.