Previously in Intuit’s OAuth2.0 authorization flow, refresh tokens were considered long-lived and remained valid as long as they were used at least every 100 days, making them effectively permanent. This policy has changed. All refresh tokens will now have a maximum validity period of five years. This change ensures that tokens are rotated regularly, reducing the risk associated with long-lived tokens.
When includeRefreshTokenHardExpiresIn is set as true while calling the refresh token call, refreshTokenHardExpiresIn in OAuth2AccessToken will have the refresh token expiry value