Access Tokens
In OAuth, access tokens are opaque strings that allow a client to access protected resources.
The exact format of access and refresh tokens is left out of scope of OAuth specification, allowing the authorisation server to use the representation that fits their needs the best. Hence, the client must not assume any specific implementation and should treat access and refresh tokens as opaque bits of information.
Note:
- The validity of an access token is mentioned in the access token response.
- The validity of a refresh token is not defined, but it is usually valid for at least 60 days. However, this lifespan is editable.
The client might store the access tokens obtained from the authorisation server, and supply them in requests to resource servers, but they must not peek inside the text content of the tokens.
Access tokens are opaque
Do not rely on the content of access and refresh tokens in the integration of your client application with Pleo. Their format is not guaranteed and can be changed without notice. This can break the interoperability of your application with Pleo.
Updated 2 days ago