Integrating with Nylas involves dealing with different types of tokens, each having its own lifecycle and peculiarities. This article aims to clarify these token types, their lifetimes, and how they interact with Nylas and third-party providers like Microsoft and Google.
Nylas Access Tokens
Nylas Access Tokens do not have a predefined expiration date. However, Nylas proactively expires them if the underlying provider credentials (OAuth or Basic) become invalid.
Provider OAuth Refresh Tokens
The lifespan of OAuth Refresh Tokens is determined by the respective providers:
- Microsoft: By default, Microsoft sets the expiration of these tokens at 90 days. However, it's important to note that administrators can alter this default setting.
- Google: Google's OAuth Refresh Tokens generated by a production application typically do not expire, offering an indefinite lifespan. Though a Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
Provider Access Token
These tokens are usually valid for a duration of 1 hour. Nylas handles the refreshing of these tokens seamlessly using the account’s stored refresh token.
Special Note on Microsoft Refresh Tokens
An interesting aspect of Microsoft's mechanism is the issuance of a new refresh token upon each request for a new access token. Nylas leverages this feature to extend the lifespan of a Microsoft Refresh Token as much as possible. In the early stages of integration, Nylas uses the original Microsoft refresh token a few times. Subsequently, Nylas replaces this original token with the new one provided by Microsoft. It's crucial to understand that after its replacement by Nylas, the original Microsoft refresh token will no longer see activity generated by Nylas. Microsoft has a policy of revoking any refresh token that remains inactive for 90 days.
- Refresh tokens in the Microsoft identity platform - Token lifetime
- Using OAuth 2.0 to Access Google APIs - Refresh token expiration