Access Tokens

In OAuth, access tokens are opaque strings that allow a client to access protected resources.

The exact format of access and refresh tokens is left out of scope of OAuth specification, allowing the authorisation server to use the representation that fits their needs the best. Hence, the client must not assume any specific implementation and should treat access and refresh tokens as opaque bits of information.

💡

Note: An access token is valid for 15 minutes and a refresh token is valid for 60 days.

The client might store the access tokens obtained from the authorisation server, and supply them in requests to resource servers, but they must not peek inside the text content of the tokens.

❗️

Access tokens are opaque

Do not rely on the content of access and refresh tokens in the integration of your client application with Pleo. Their format is not guaranteed and can be changed without notice. This can break the interoperability of your application with Pleo.