The specification does not guide or limit the provider in implementing their
own security policies and that includes the lifetime of tokens. Some
providers may limit it intentionally to let users re-confirm that they still
want to provide the access (or simply users should be logged on to their
I'm building an oAuth app that integrates with Contacts, and Gmail and
everything is working correctly, except that the oAuth access tokens
that I'm generating seem to only last 1 day.
I was under the impression that oAuth access tokens should last
indefinitely as long as they are not revoked by
Token duration is a policy decision. Each site decides on what they will
grant. For example at LinkedIn we give the user the option of one day, one
week, one year, or until revoked. To help partners we are planning on
adding some of the OAuth