Sep 20, 2021 4:34 PM
Beginning on November 8th, OAuth access tokens will be generated with a shorter expiration time. Tokens currently expire 6 hours after they are generated. After this change, tokens will expire 30 minutes after being generated.
The expires_in parameter returned with tokens will always reflect the time that the token will expire, so if your integration is following that parameter, or automatically refreshing the access token when receiving an HTTP 401 error for an expired token, then you should not need to make any changes to your integration. However, if you've hardcoded the current 6 hour refresh time, then you will need to update your integration to match the new 30 minute expiration time. We would recommend following the expires_in parameter for refreshing access tokens, and not hardcoding a refresh time.
This change will have no effect on refresh tokens, or any other part of the OAuth process.
This change will affect new access tokens starting on November 8th. Any access tokens created before this change will be valid for their full lifetime based on the expires_in parameter received at the time the token was generated.
Please let us know if you have any questions by replying below.
Dec 17, 2021 11:13 AM
I do consider this was a breaking change since you guys induced a 12x change regarding the expiration time, which is major. I had something like, Max(0, expires_in - 1 hour), so of course you can't subtract an hour to 30 minutes, which made the code refresh the token every event loop available. Which is, you guess it, a lot of times per seconds.
Dec 10, 2021 7:25 AM
Oh waw, this caused an application I built to break since the update.
Glad support pointed this out or I wouldn't have known what went wrong.
Sep 20, 2021 5:51 PM
The 30 minute expiration is in line with other SaaS and OAuth platforms that we looked at. Most systems that we looked have tokens that last 30-60 minutes.
This change will have no effect on refresh tokens, only the short-lived access tokens. In the event there was a failure and access tokens could not be refreshed within 30 minutes, you would still be able to generate new access tokens for any connected accounts after the system recovered, as long as you still had valid refresh tokens for those accounts.
Sep 20, 2021 5:09 PM
How were 30 minutes chosen for the length of time for expiration? Is that some type of standard that HubSpot must follow?
I can foresee a huge support nightmare in the scenario where there's downtime either from the HubSpot API or the app itself that fails to renew on time. It would cause all tokens to fail at around the same time without a chance to recover the failing service in the chain.