API Access Token Expiry

We have an OAuth App and are creating access_tokens with the expectation that our system would periodically invoke the GitHub API without an active user. (The user authorizes our app and walks away)

Usually with OAuth Code Flow, I would expect to see a refresh_token returned from the token endpoint when I supply the code and get an access_token. The refresh_token could be used later to get access_tokens later without any user interaction. I’ve also seen other solutions implement something like an ‘offline_access’ scope which lets the system know I need a refresh_token or to extend the access_token expiry.  GitHub has not mentioned in their documenation and doesn’t seem to provide a refresh_token, and the access_token seems to expire after about a day. If I needed to call the API daily, I would have to keep re-engaging with the user daily to authorize and this is not desirable.

What is the best practice for managing ‘offline access’ in GitHub?

Is there a way to get a refresh_token?

Is there a way to extend the expiry of the access_tokens I do get?

1 Like

Below is the answer I recieved from GitHub support. So I guess there is something on my side that I’ve missed.

GitHub’s OAuth tokens don’t expire after some specific period since they’ve been created (and refresh tokens aren’t used currently, because of that). However, there are several reasons why a valid token might become invalid:

  • the token was manually revoked by the user, either via the UI or the API
  • the token was manually revoked by the OAuth application it was created for, either via the UI or the API
  • the token was automatically revoked by GitHub because it has not been used for over a year
  • the token was automatically revoked by GitHub because it was pushed to a public repository – see https://github.com/blog/1956-keeping-github-oauth-tokens-safe (this will happen only for tokens that have some scopes attached, it will not happen for scopeless tokens)
  • the token was automatically revoked by GitHub because the OAuth application it was created for reached the limit for the number of tokens for a specific user and set of scopes – see https://developer.github.com/v3/oauth/#multiple-tokens
1 Like