MSAL Token Expires after a day

Justin Ar-Rasheed 1 Reputation point

Here's the code I'm using


const msalConfig = {
auth: {
clientId: process.env.MICROSOFT_CLIENT_ID,
authority: process.env.MICROSOFT_AUTHORITY,
clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
system: {
loggerOptions: {
loggerCallback(loglevel, message, containsPii) {
piiLoggingEnabled: false,
logLevel: msal.LogLevel.Verbose,

const msalClient = new msal.ConfidentialClientApplication(msalConfig);

const tokenRequest = {
scopes: process.env.MICROSOFT_SCOPES.split(","),
redirectUri: process.env.MICROSOFT_REDIRECT_URL,

const response = await msalClient.acquireTokenByCode(tokenRequest);

const msalTokenCache = msalClient.getTokenCache();

const account = await msalTokenCache.getAccountByHomeId(homeAccountId);

const response = await msalClient.acquireTokenSilent({
scopes: [
forceRefresh: false,
redirectUri: "",

const { idToken } = response;


After that, I try to get a new token from the following endpoint:

But then I get the following error

error: {
code: 'InvalidAuthenticationToken',
message: 'CompactToken parsing failed with error code: 80049217',
innerError: {
date: '2022-08-12T03:33:46',
'request-id': '9f90ea05-2d9e-41a1-b6fc-3d53c2f67501',
'client-request-id': '9f90ea05-2d9e-41a1-b6fc-3d53c2f67501'

Followed by an empty access token

I've been stuck on for 9 months. Please help

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,293 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vicky Kumar (Mindtree Consulting PVT LTD) 1,156 Reputation points Microsoft Employee

    Thanks for reaching out to us,

    Refresh tokens given to Single-Page Applications are limited-time refresh tokens (usually 24 hours from the time of retrieval). This is a non-adjustable, non-sliding window, lifetime. Whenever a refresh token is used to renew an access token, a new refresh token is fetched with the renewed access token. This new refresh token will have a lifetime equal to the remaining lifetime of the original refresh token. Once a refresh token has expired, a new authorization code flow must be initiated to retrieve an authorization code and trade it for a new set of tokens.

    Note: When a new refresh token is obtained, msal.js replaces the cached refresh token with the new refresh token, however the old refresh token is not invalidated by the server and may still be used to obtain access tokens until its expiration.

    kindly use doc to refresh token -


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".