Does the Creator's Access Token expire?

Does the Creator’s Access Token expire?

According to the following post, as of February 26th, the Creator's Access Token does not expire for newly created clients:

I am happy to report that this is now going to be the norm - but only for newly made clients. I will try to make the change retroactive but that will obviously take more time.

Great, thanks. That’s the only thing I could find about it and wasn’t sure that’s what it meant.

I made client just a week ago and my creator access token is expiring, is it a bug?

I created a client yesterday and my creator access token as well as the creator refresh token change values every few hours.

Which app are you using with your client?

I created a client in the My Clients page that uses API v2, my domain is https://companions.love.

Not sure how any of this is relevant but that’s the only things I could think of as an answer to “what app are you using?”

Integration is working, but only for a few hours if I don’t paste the new creator access token every time.

When checking My Clients for the new token, I notice the creator refresh token has a new value as well, every time.

I am not calling the token refresh endpoint in my code

Does this still persist as of this moment?

I started using a valid creator token just about now (I stored the corresponding refresh token too).
I will let a few hours pass and let you know if they changed.

Great. It may have been a temporary thing.

I have patreon user login on my website.
I occasionally test if that works by creating a new account and logging in with MY patreon account.

I just realized that by requesting tokens that way, my actual creator tokens are being refreshed. I assumed my “patreon user” token was different from my “creator” tokens. But apparently that’s not the case.

The reason why I did not notice that earlier is that the login will still work for everyone since they send auth requests independently from my creator tokens. Only when I want to use the creator token stored in my app to fetch campaign members etc it starts to fail.

So is there anything special about a creator token? Are they supposed to be refreshed when I require login to my page as a “user”?

Also, does this mean if some creator ever happens to login on my page, their app will stop working? Lol

Creator tokens are separate from users’ tokens and they should be refreshed separately before expiry.

You should have a cron that triggers a code that checks creator token expiry and refreshes it with a refresh call to oAuth endpoints using refresh code. Later saving the new token of course.

This creator token only pertains to your particular creator account related to that token. Nobody else. Also no other Patreon account you have.

So if I understand that correctly:
If I login via Patreon with my creator account on someone else’s app (which fires a request to https://api.patreon.com/oauth2/token with grant_type “authorization_code”).
Then my own app will stop working because that request changed my user token which is also my creator token. I’m aware of the refresh mechanic, but the refresh token is also “gone” after such a login.
And if someone logs into my application with their creator account the same will happen to them.

PS sorry for my tone, I seriously appreciate the feedback, but this is mindboggling if true

Thats not the case. An authorization code generated for your app, and the tokens generated for another app is different from the ones for your app. They are totally isolated. There is no relevance.

Your creator token belongs to your app, they belong to your creator account.

User access tokens are specific for each user and to each app. 2 user tokens wont be the same.

You may check some oAuth guides to get a better grasp of the process.

1 Like

I see, so I can only “bust” my own creator token when logging in to my app.
(And I either have to not do that, or update the tokens in my db whenever it happens).

That cleared things up, thanks

1 Like

When you get the tokens from the API, their expiry dates should be included in the info as well - you can use that into to refresh tokens.