Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Refresh token appears to only last an hour instead of 60 days

Started by Matt Gladman -   in API Authentication

Hi, we're developing an PKCE app and it is currently uncertified.

Currently it appears as if our `refresh_token` only lasts approximately 1 hour (could be a bit more or a bit less, haven't done exact timing). If we don't use the API for about an hour and use the `refresh_token` to get a new `access_token` we get "invalid_grant" error.

We know the refresh token method we've implemented works fine because if we just delete the `access_token` from the system, it successfully refreshes the `access_token` and updates the `refresh_token`.

I was under the impression that the `refresh_token` should last approximately 60 days, is there a reason our refresh_token is expiring or could it be something else?

We only have 2-3 tenants using this app at most.

NOTE: The user I'm testing with is the demo org user, not sure if that could be making an impact. But this effectively makes it impossible to use this app offline....

Example:

01:00: POST /connect/token?grant_type=refresh_token&client_id=<client_id>&refresh_token=<refresh_token1>
- We store the access_token and the refresh_token returned here (refresh_token2)

01:18: POST /connect/token?grant_type=refresh_token&client_id=<client_id>&refresh_token=<refresh_token2>
- We store the access_token and the refresh_token returned here (refresh_token3)

01:48: POST /connect/token?grant_type=refresh_token&client_id=<client_id>&refresh_token=<refresh_token3>
- We store the access_token and the refresh_token returned here (refresh_token4)

03:00: POST /connect/token?grant_type=refresh_token&client_id=<client_id>&refresh_token=<refresh_token4>
invalid_grant error
The refresh tokens by default have a validity of 60 days. However this is shortened under a number of circumstances.

The most typical example is when the refresh token is used. In your example refresh_token3 would expire 30 minutes after being used at 01:48. This 30 minute grace period is to provide an opportunity to retry the refresh in the event of a connection issue.

If there was another undocumented refresh between 01:48 and 02:30 this could have caused refresh_token4 to have expired.

Another possibility would be the user getting removed from the organisation, having their user access downgraded, or the organisation being reset.

I would suggest troubleshooting by looking at what else occurs between 01:48 and 03:00. If you are still having issues please reach out to our support team with your app's client ID, the timestamps of the refreshes and if possible the last four digits of each refresh token.

Regards

Robin
 

Robin Blackstone (Community Manager)  

I'm the only user of the system, so there won't be any other activity with the API going on. In the example, zero activity happened in between 01:48 and 03:00. The system or Xero weren't used.

Same with the user being removed, it's only my user in the Demo Org, it won't be shifting around.

In the examples, we're always using the freshest refresh token, so the 30 min grace period shouldn't be applying (I understand the 30min grace period occurs when using an old refresh token)

I'll reach out to support with the specifics. I assume opening a case on the Salesforce Community https://central.xero.com/s/contact-support under `Connected apps & services` will be sufficient?
 

Matt Gladman  

It appears to be a bug when a refresh_token is generated before the access_token has expired, the refresh_token does not last. I'll submit full details to support. But this does appear to be a Xero bug
 

Matt Gladman