Quick question about your OAuth refresh token behavior so we can fix our integration.
What we do today:
We hit https://api.nuki.io/oauth/token with grant_type=refresh_token and observe that the response returns a new access_token, a new refresh_token, and expires_in.
We rotate and persist the new refresh token on every refresh, and schedule a proactive refresh before expires_in elapses.
On a 400 from the refresh endpoint we mark the account disconnected; on other errors we retry up to 6 times with a 1-3 minute backoff.
What we’d like to confirm:
1. Refresh token expiry and rotation — We understand refresh tokens have a ~90-day lifetime. When we rotate (exchange the old refresh token for a new pair), does the 90-day clock reset on the newly issued
refresh token, or is it absolute from the initial grant? Put differently: can we refresh indefinitely as long as we keep rotating, or will customers need to reconnect every 90 days regardless of activity?
2. Rotation semantics — Is the previous refresh token invalidated immediately when a new one is issued, or is there a grace window? What happens if two refresh calls race?
- Invalidation triggers — Beyond user revocation and password change, what else invalidates a refresh token (inactivity, re-auth from a new flow, etc.)?
We’re seeing a steady rate of account disconnections in production and want to distinguish truly unrecoverable cases from ones we should retry.
Thanks!