topic Re: Expiry for authorization code & refresh tokens? in Spotify for Developers

Expiry for authorization code & refresh tokens?

DaveCa — Wed, 10 Jan 2024 18:58:18 GMT

Hi - Access token exportation is documented at 1 hour, but I cannot see anything indicating that the authorization code (i.e.: what is sent to the redirect URL after you point the user's browser to the 'authorize' endpoint). Does this mean that it's good forever? If not: does anyone know what errors will ensue once the expiry occurs?

Same question for the refresh token parameter - does it also have a 1 hour timeout, same as the access token?

Re: Expiry for authorization code & refresh tokens?

Ximzend — Wed, 10 Jan 2024 19:55:00 GMT

When an access token is expired, you'll get a 401 error.

When the refresh token is expired, you'll get a new one when you refresh the access token.

Re: Expiry for authorization code & refresh tokens?

DaveCa — Wed, 10 Jan 2024 19:58:18 GMT

Thanks for this. Any info on whether the authorization code ever expires?

Re: Expiry for authorization code & refresh tokens?

pettinen — Wed, 10 Jan 2024 22:15:00 GMT

Authorization codes seem to expire in 10 minutes. Makes sense, since that's the maximum lifetime the OAuth 2.0 spec recommends.

Trying to get tokens with an expired code returns HTTP 400 with

{"error":"invalid_grant","error_description":"Authorization code expired"}

And they're not going to be stored forever, so eventually, presumably, HTTP 400 with

{"error":"invalid_grant","error_description":"Invalid authorization code"}

(not that it makes a difference; error_description is not a machine-readable field and your code shouldn't care about it).

Re: Expiry for authorization code & refresh tokens?

abhinavpatra — Sun, 09 Nov 2025 18:24:26 GMT

any idea on when the refresh_token expires i dont think it does