Google API refresh token limit

oauth-2.0 oauth google-api google-oauth google-calendar-api

17,166

Its 50 per user (client-user) as in User of your Client. Not client_id. For each person that authenticates your application you can have them authenticate it up to 50 times. Each Refresh token you receive will work. After the 50th the first one will stop working. They will also work for up to 6 months I think, if it hasn't been used for 6 months it will be invalidated.

You can have as many people use your Client (client_id) as are willing to authenticate you. You wont have any problems.

From Google Oauth2 Documentation found here

Token expiration

You must write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons:

• The user has revoked access.

• The token has not been used for six months.

• The user changed passwords and the token contains Gmail scopes.

• The user account has exceeded a certain number of token requests.

There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.

There is also a larger limit on the total number of tokens a user account or service account can have across all clients. Most normal users won't exceed this limit but a developer's test account might.

If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.

Question: Where did you find this? I would like to report it to Google its a bit confusing

Note: Save refresh tokens in secure long-term storage and continue to use them as long as they remain valid. Limits apply to the number of refresh tokens that are issued per client-user combination, and per user across all clients, and these limits are different. If your application requests enough refresh tokens to go over one of the limits, older refresh tokens stop working.

17,166

user3360031

Updated on June 18, 2022

Comments

user3360031 almost 2 years
I'm developing an application wherein I need to access multiple google calendars. All these calendars come from different users. And right now I am using OAuth2 for the syncing. But as I understand it, I can only generate 25 refresh tokens per client ID.
```
Note: Save refresh tokens in secure long-term storage and continue to use 
them as long as they remain valid. Limits apply to the number of refresh 
tokens that are issued per client-user combination, and per user across all clients, 
and these limits are different. If your application requests enough refresh tokens 
to go over one of the limits, older refresh tokens stop working.
```
As advised, I am keeping the refresh tokens in my DB. But my problem is, what if I get more clients who would want to sync their calendar? Is there any way to overlook the limit? Of course there isn't. What I have in mind right now is just to create more client IDs. Any advise?
DaImTo over 9 years

Yup. Where did you find that? I want to report it to Google as confusing. I just updated it with link from a better documentation source.
user3360031 over 9 years

Sorry I deleted my previous comment. Anyway, here's where I read it developers.google.com/accounts/docs/OAuth2.
user3360031 over 9 years

Wew. I can finally proceed with this. Thanks @DalmTo for clarifying everything. :)
Adrian almost 5 years

Sorry for digging up this old thread but I still don't 100% understand. I have 80+ websites, each use the "Google Analytics Widget for Wordpress Dashboard" plugin which requires authorisation, but recently noticed i've gone over this limit as some of the older websites are unlinked because I have authorised newer ones. Do I have a limit of 25 or 50, and what is the workaround? Thanks
DaImTo almost 5 years

Its the User who can have 50+ refresh tokens. It has nothing to do with the websites. If a user is logged in you get a refresh token, if they login again they get another refresh token. they can have up to 50 refresh tokens. Its important that you save the newest refresh token and not use the old ones. If you have 80+ websites then you should have 80+ projects you should not be sharing clients across different applications.
camelBack over 4 years

@DaImTo If I have a multi tenancy environment, where each tenant has its own redirect_uri, and multiple users - how many clients would I use? I currently have one OAuth client (with its own id and secret) for other calendar types I support, and each user that authenticates is generating a "private" refresh token and access token, which act independently on behalf of the client. If there is a 50 refresh token limit - I will be limited to 50 users. Or did I get the wrong idea?