Spotify

Protecting users means ensuring that app access to their Spotify account stays relevant and intentional, so we're introducing a 6-month expiration on refresh tokens.

Refresh tokens issued to apps registered on Spotify for Developers will now require reauthentication after 6 months. Once a refresh token expires, your app must send the user through the sign-in flow to obtain a new one.

• New apps: affected as of today.
• Existing apps: affected from July 20, 2026.

Read the updated refresh token documentation to learn what to expect and how to handle expiration gracefully.

Protecting Spotify users means ensuring that apps can only access their data when that access is still relevant and intentional. By introducing a 6-month lifetime on refresh tokens, we ensure that user authorizations are regularly re-confirmed, giving users more control over which apps can access their Spotify account.

When a refresh token expires, the Spotify token endpoint (POST https://accounts.spotify.com/api/token) will return an invalid_grant error. Your app must handle this case by discarding the token and sending the user through the authorization code flow to obtain a new one.

Refreshing an access token does not reset or extend the refresh token's 6-month lifetime. The lifetime is measured from the moment of the user's original authorization. If the user re-authorizes your app, a fresh 6-month lifetime begins.

• Handle invalid_grant on token refresh. Do not retry the refresh — discard the stored token and redirect the user to sign in again.
• Do not assume refresh tokens are permanent. Any code that treats a stored refresh token as indefinitely valid will need to be updated.
• Test your reauthorization flow. Make sure users can sign in again smoothly if their refresh token has expired.

See the refreshing tokens guide for code examples covering both browser and server-side flows.

Does this affect Client Credentials flow? No. This only applies to tokens issued on behalf of a user (Authorization Code and Authorization Code with PKCE flows).

What happens when a refresh token expires? The token endpoint returns {"error": "invalid_grant"}. Your app should catch this, discard the stored tokens, and redirect the user to sign in again.

Does refreshing an access token reset the 6-month timer? No. The lifetime is always measured from the user's original authorization, not from the last refresh.

Will users lose their previously granted permissions? No. Re-authorizing only issues a new refresh token. The user will be asked to sign in again, but their previously approved scopes will carry over as long as your app requests the same scopes.

How do I know when a refresh token was issued? Refresh tokens do not expose an issuance timestamp. If you need to track expiration, store the authorization timestamp in your own database when the user first authorizes your app.

What about existing users who authorized my app a long time ago? Once enforcement begins for existing apps, refresh tokens older than 6 months will be invalidated on their next use. Users will see the sign-in prompt and will need to re-authorize your app.

Reach out on the Spotify Developer Community forum with any questions.