So is there an expiry time for the refresh token? I know that the access tokens expire in 1 hour but the for the refresh token, there seems to be no expiry time but im getting this error:
{“error”:“invalid_request”,“error_description”:“The refresh token is invalid.”,“hint”:“Cannot decrypt the refresh token”,“message”:“The refresh token is invalid.”}
Yes, refresh tokens do expire — even though they typically have a longer lifespan than access tokens. The error you’re encountering:
{“error”:“invalid_request”,“error_description”:“The refresh token is invalid.”,“hint”:“Cannot decrypt the refresh token”,“message”:“The refresh token is invalid.”}
indicates a problem not just with expiration, but possibly with decryption or corruption of the refresh token.
Shape
Breakdown of the Error
“Cannot decrypt the refresh token”: This means the token is either corrupted, manipulated, or was encrypted using a key that is no longer valid (e.g., rotated).
“The refresh token is invalid.”: This is a fallback message when the server can’t validate or decrypt the token.
Shape
Possible Causes & Fixes
Key Rotation / Token Encryption Key ChangedIf the encryption key used to sign or encrypt the refresh token was changed on the server (e.g., during a deployment or configuration update), then any previously issued tokens would be undecryptable.
Fix: Make sure your server uses a consistent secret key or keystore to encrypt/decrypt tokens. If you’re using something like JWT or OAuth2, verify that the signing/encryption key hasn’t changed.
Shape
Refresh Token ExpiredEven if not explicitly stated, refresh tokens often do expire after a certain period of inactivity or fixed time (e.g., 7 days, 30 days).
Fix: Check the token issuance server (e.g., OAuth2 provider, identity service) for the refresh token expiry policy.
Shape
Refresh Token Was Already Used / RotatedSome systems implement refresh token rotation, where each token can be used only once, and a new one is issued every time you refresh.
Fix: Ensure you’re saving and using the new refresh token that comes with each successful refresh response.
Shape
Token Format Invalid or CorruptedIf the token was manually edited, truncated, or malformed, decryption will fail.
Fix: Verify the refresh token is being sent as-is and hasn’t been altered (e.g., in transmission or storage). Check your logs for the original token and compare with the one being submitted.
Shape
Client Sending Wrong TokenSometimes, the wrong token might be picked up from local storage, cache, or cookies.
Fix: Clear local storage/cookies and re-authenticate to get a new refresh token.
Shape
Solution Flow
Getting invalid_request with Cannot decrypt the refresh token
Try to re-authenticate and obtain new access and refresh tokens
Log and compare both old and new tokens
Ensure consistent encryption keys on server across deployments
Investigate your identity/auth server for refresh token lifetime settings and rotation policies
If you face any difficulties on this, you can access our free support with our experts.
Refresh Tokens are good for 3 months. Your dealing with a bad id, not an expiration as mentioned by @Qiaben
Thank you very much.