Authorization flow for expiring tokens

All API requests require an access token. The access token contains information about which scopes the user has authorized, and which API calls your application is permitted to make on the user’s behalf. You can select to use an expiring or a non-expiring token while creating your app. You cannot enable, disable, or update this setting after you create your app.

We recommend using an expiring access token and refresh token as this enhances your application's security. An expiring access token expires in 1 hour and a refresh token expires in 60 days. When a new access token is requested, you also get a new refresh token. In this scenario, the old access token and refresh token are no longer valid. If you enable this feature, when you exchange an authorization code to an access token, you will also get a refresh token in the response.

Here’s a summary of the steps involved in the OAuth authorization flow using expiring access tokens:


REST API OAuth authorization flow

Here’s a summary of the steps involved in the authorization flow for expiring access tokens:

  1. Create authorization request link
  2. Request user for authorization
  3. Exchange authorization code with access token
  4. Use access token for REST API requests
  5. Get new access token using refresh token