Discussions

While analyzing an issue related to token handling, we noticed something unusual and would appreciate your help reviewing it.

In the token response, both expires_in and refresh_expires_in are set to the same value.

From what we understand — and based on your documentation — the refresh token should typically be valid much longer than the access token, so that clients can refresh tokens without requiring the user to re-authenticate.

If both values are the same, it means the refresh token expires at the same time as the access token, which prevents a token refresh once the access token has expired. This seems to undermine the purpose of using refresh tokens in the first place.

Could you please confirm whether this behavior is expected or if it might be a misconfiguration?

Thanks in advance,