Expiration time for Refresh token generated using Azure DevOps Oauth2

Question

I am trying to generate Access Token and a Refresh token with help of Microsoft Azure DevOps Oauth 2.

I am successful in generating it.

Either if access token is valid or expired, I am able to generate new access token and a refresh token with the old refresh token.

But if i stop using both access token and refresh token which means it is inactive for few days ,

I am not able to generate new access token and a refresh token.

Getting 400 BAD REQUEST

The days left inactive is not more than 10 days.

Is there any specified number of days the refresh token will be still valid if unused?

Answer 1

Hello Karthik Venkatachalam,

Refresh tokens in Azure DevOps OAuth2 follow Microsoft Entra ID’s default token lifetime policies. They are usually valid for 90 days as long as they are used at least once within that period. If left unused for 90 consecutive days, they expire and cannot be used to generate a new access token.

Since your refresh token became invalid in less than 10 days, your organization may have Conditional Access policies that require more frequent re-authentication, shortening the refresh token’s lifespan.

Also, check your app registration's redirect URI platform. If it's Single-page application (SPA), refresh tokens expire much faster, typically within 24 hours, due to browser security restrictions that prevent long-lived tokens.

Here’s a reference from Microsoft that explains refresh token expiration in more detail:

Another factor to consider is whether your application is storing and using the most recent refresh token. Since a new refresh token is issued with every access token request, using an outdated one might cause it to be rejected.

Hope this helps!

---

If this answer was helpful, please click "Accept the answer" and mark Yes, as this can be beneficial to other community members.

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.