Authlete’s policy on sweeping unused tokens

Authlete removes access tokens and refresh tokens that have been unused in a certain period, 90 days. “Use” in this context is read/update operations to the tokens by Authlete to process requests such as token introspection, updating scopes.

It is not affected by the token’s expiration time that is defined in the service owner console. For example, a refresh token with a very long expiration time is subject to be removed from the token database after 90 days from the last usage.

If a token that has not been used for 90 days is used, the Authlete will send a response with “[A057302] The access token does not exist” because the token is already deleted from the database.