<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00005nVZn2SAGOkta Classic EngineAdministrationAnswered2024-04-15T11:44:37.000Z2018-12-17T18:14:40.000Z2019-06-27T16:34:03.000Z

  • marius.voinescu1.5083867485705222E12 (Okta, Inc.)

    Refresh tokens have normally a very long expiration times relative to access tokens. Because refresh tokens are more valuable than access tokens they are usually only issued via the OAuth “Authorization Code Grant” flow.

     

    When a token is created using an API flow a "expires_in" can be set to a specific number.

     

     

     

    Please find the bellow snippet from the article https://developer.okta.com/authentication-guide/tokens/refreshing-tokens

     

    http --form POST https://{yourOktaDomain}/oauth2/default/v1/token \

    accept:application/json \

    authorization:'Basic MG9hYmg3M...' \

    cache-control:no-cache \

    content-type:application/x-www-form-urlencoded \

    grant_type=refresh_token \

    redirect_uri=http://localhost:8080 \

    scope=offline_access \

    refresh_token=MIOf-U1zQbyfa3MUfJHhvnUqIut9ClH0xjlDXGJAyqo

    If the refresh token is valid, then you get back a new access/refresh token combination:

    {

    "access_token": "eyJhbGciOiJ[...]K1Sun9bA",

    "token_type": "Bearer",

    "expires_in": 3600,

    "scope": "offline_access",

    "refresh_token": "MIOf-U1zQbyfa3MUfJHhvnUqIut9ClH0xjlDXGJAyqo"

    }

     

     

     

    Expand Post
    Selected as Best

  • marius.voinescu1.5083867485705222E12 (Okta, Inc.)

    Refresh tokens have normally a very long expiration times relative to access tokens. Because refresh tokens are more valuable than access tokens they are usually only issued via the OAuth “Authorization Code Grant” flow.

     

    When a token is created using an API flow a "expires_in" can be set to a specific number.

     

     

     

    Please find the bellow snippet from the article https://developer.okta.com/authentication-guide/tokens/refreshing-tokens

     

    http --form POST https://{yourOktaDomain}/oauth2/default/v1/token \

    accept:application/json \

    authorization:'Basic MG9hYmg3M...' \

    cache-control:no-cache \

    content-type:application/x-www-form-urlencoded \

    grant_type=refresh_token \

    redirect_uri=http://localhost:8080 \

    scope=offline_access \

    refresh_token=MIOf-U1zQbyfa3MUfJHhvnUqIut9ClH0xjlDXGJAyqo

    If the refresh token is valid, then you get back a new access/refresh token combination:

    {

    "access_token": "eyJhbGciOiJ[...]K1Sun9bA",

    "token_type": "Bearer",

    "expires_in": 3600,

    "scope": "offline_access",

    "refresh_token": "MIOf-U1zQbyfa3MUfJHhvnUqIut9ClH0xjlDXGJAyqo"

    }

     

     

     

    Expand Post
    Selected as Best
This question is closed.
Loading
What is the lifetime of refresh tokens and how do they expire?