OAuth 2.0

The access-token lifecycle

A partner access token is minted, cached, reused until just before expiry, then re-minted. There is no refresh token in the client-credentials grant — you simply request a new one.

2 min read

Mint onceReuse many
expires_inDrives your cache
No refreshRe-mint instead

The full cycle

The lifecycle is a short loop. Your server posts its client credentials to the token endpoint, caches the returned token alongside its expiry, and attaches it to every partner call. Shortly before the token expires it mints a fresh one and swaps it in. Because there is no user session, there is no refresh token — the client-credentials grant re-mints from the same secret each time.

Caching correctly

Key the cache by client and scope, and store the absolute expiry (now + expires_in, minus a safety margin of a few seconds). Serve the cached token to every worker rather than minting one per request — the token endpoint is rate-limited and a mint-per-call pattern will throttle you fast. In a multi-process deployment, share the token through a small cache (for example Redis) so all workers reuse one live token.

Handling expiry mid-flight

Even with a margin, a token can expire between your check and the server's clock. Treat a 401 with an expired-token reason as a signal to mint once and retry the request exactly once. Do not retry blindly on every 401 — an invalid credential (bad secret, revoked client) also returns 401, and retrying that just burns your token-endpoint quota.

Frequently asked questions

Is there a refresh token?

No. The client-credentials grant has no refresh token because there is no user session to keep alive. When your access token expires you request a new one directly from the token endpoint using the same client credentials.

How many tokens should my service hold at once?

Ideally one live token per (client, scope) pair, shared across your workers. Minting a token per request or per worker wastes your token-endpoint rate-limit budget and offers no benefit.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.