CONCEPT Cited by 1 source

OAuth token lifecycle

The OAuth token lifecycle encompasses the issuance, refresh, introspection, and revocation of access and refresh tokens in an OAuth 2.0 system.

Key Phases

1. Authorization & consent: User grants scoped access to a client application.
2. Token issuance: Authorization server issues an access token (short-lived) and optionally a refresh token (long-lived).
3. Token use: Client presents the access token to resource servers.
4. Token refresh: When the access token expires, the client uses the refresh token to obtain a new pair.
5. Revocation: User or admin revokes tokens, invalidating all associated access.
6. Introspection: Resource servers verify token validity with the authorization server.

Operational Implications

• Expiry tuning as operational lever: Before a database migration, Cloudflare increased token expiry to multiple hours, reducing the number of refresh requests (and therefore database writes) during the upgrade window (Source: sources/2026-06-24-cloudflare-oauth-for-all).
• Refresh token reuse detection: Strict servers (e.g., Ory Hydra 1.x) invalidate the entire token chain if a refresh token is reused, requiring patterns/refresh-token-coalescing at the proxy layer.

Seen In

• sources/2026-06-24-cloudflare-oauth-for-all