Authentication Refresh Token Expiration?

When capturing oauth and doing refresh token flows. Are there any timeouts to be concerned with?

My current approach, which I feel is making too many requests:

  1. OAuth flow to capture refresh token and access token
  2. 30min before token expires, request a new token (would like to reduce this to once a week instead of every 30min, or remove this)

I also have a try/catch, that on an authentication failure, it will try and do a refresh. But I was hoping to remove, or reduce how often my application asks for a new token.

I would like to keep these sessions open indefinitely, as long as the users continue to engage with my application of course. It may be a few days, up to 2 weeks between usage, would be annoying to have to re-do oauth each time.

I’m sure my application would be fine either way, but can Twitch or if someone else knows, what are the actual timeouts here?

At time of writing.

Refresh tokens don’t have an expiration
You may get a new refresh token when you refresh.

Every other token, either returns the expire time in seconds in the JSON blob, or you can check the expiration time via The validation endpoint

Generally speaking

  • OIDC Tokens - 15 mins none refreshable not an oAuth Token
  • Implicit User oAuth Token - 60 days none refreshable, can’t auto get new one
  • Regular User oAuth Token - 4 hours, refreshable
  • Server to Server token - 60 days, none refreshable, can auto get new one is not a user token

This is what most people do. They either refresh the token, at the time they need to (about to make a request), or before it expries.

Usually the former.

Chat bots only need a valid “user token” to login to chat, as it’s only checked at login. Then a chatbot can mostly use a app access/server to server token for everything else. Saves you some expires there.

If I refresh subscribers into a database, I’ll refresh the token if it’s expired when I do the run. Depends if I’m using the token for something else.

So, really, you only need to refresh the token “when you are about to use it”. As apposed to “when it’s about to die”

1 Like

Posted a deep technical question after midnight and had an answer when I woke up in the morning? You are a god! And that is very detailed and helpful.

I will switch to doing it only when needed(expiration date is past, or get a rejection). And remove the periodic renewal that’s happening for no reason every 4hrs lol.

Thank you!


Yeah the key part here, is what you use the token for.

You’ll likely need to renew (and recrate the hook) for webhooks (but not eventsub).

But glad to have been of use!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.