Refresh token limits

hi,
i have a question, reading on the documentation i found this:

The API limits the number of active access tokens associated with a given refresh token. The limit is 50 token per client/user (that is, a user can only have 50 tokens live at a time per client ID). If multiple threads sharing the same authorization were to simultaneously refresh, some of them might not have working credentials at the end of the refresh. Synchronizing on the refresh operation prevents the application from inadvertently overrunning its limit.

but it is unclear to me.
do api limit only the number of live access tokens or also the number of refresh tokens?

for example, if I have to manage 500 users, can I save 500 pairs of access tokens / refresh tokens and then update them (when necessary) synchronously? or risk of being unauthorized for some users?

2 Likes

The limit is per user per app. So you can have 1 million users, each with an Access Token and Refresh token, and they will all work fine, you could even get up to 50 tokens for each of those 1 million users and they will still all work. It’s just that no individual user of your app can have more than 50 tokens.

In most situations you’ll only need 1 access token and 1 refresh token for each user, and your app will handle refreshing it as needed.

1 Like

Hi dist, thanks for replying. If i have 50 access token for the same user it is possible for refresh token to expire? Because in the past i had problems with invalid refresh token error, but i was storing each time the new refresh token

Refresh tokens don’t expire, but when you go through the refresh process you may or may not get a new refresh token, and so the most recent refresh token should be stored and used.

If you create an excessive number of tokens though it will kill the earlier tokens. For example if you have a user go through your OAuth flow 50 times for some reason, having the go through it a 51st time will kill the 1st set of tokens regardless of their expiration.

1 Like