7

I am working with Oauth2.0. In that i could able get the access_token and instance_url. Is there any expiry time for these two.

Can I store them and use it for all my REST calls without getting the new access_token and the instance_url. Is it possible for me to use it for long hours or even days.

abraham
  • 46,583
  • 10
  • 100
  • 152
Easwaramoorthy Kanagaraj
  • 3,925
  • 8
  • 36
  • 62

1 Answers1

10

The access token is only valid for the length of a session (as defined in the Salesforce Org's settings — I believe the longest this can be is 8 hours without activity), as it's actually a session ID, that said, you should also be given a refresh token. The refresh token has a much longer lifetime and can be used to authenticate the user once the session has expired, without them having to enter any credentials — this allows you to do it in the background without them even having to concern themselves with the login process.

model metrics do a good job of explaining the token flow here.

Matt Lacey
  • 8,227
  • 35
  • 58
  • Actually, refresh_tokens aren't handed out unless you're building a mobile app or In-SalesForce app. See http://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com and search for "Note that refresh_token is only sent if either of the following is the case". I found this out after 4 hours of trying to figure out why the ****ing thing wasn't giving me one. :) I'm happy to be proven wrong, though.. EDIT: I stand corrected. See http://stackoverflow.com/questions/4997747/salesforce-oauth-2-0-api-get-refresh-token-with-authorization-url-launched-in-a. – Anthony May 09 '13 at 21:35