Google API refresh token limit

user3360031 picture user3360031 · Oct 1, 2014 · Viewed 13.3k times · Source

I'm developing an application wherein I need to access multiple google calendars. All these calendars come from different users. And right now I am using OAuth2 for the syncing. But as I understand it, I can only generate 25 refresh tokens per client ID.

Note: Save refresh tokens in secure long-term storage and continue to use 
them as long as they remain valid. Limits apply to the number of refresh 
tokens that are issued per client-user combination, and per user across all clients, 
and these limits are different. If your application requests enough refresh tokens 
to go over one of the limits, older refresh tokens stop working.

As advised, I am keeping the refresh tokens in my DB. But my problem is, what if I get more clients who would want to sync their calendar? Is there any way to overlook the limit? Of course there isn't. What I have in mind right now is just to create more client IDs. Any advise?

Answer

DaImTo picture DaImTo · Oct 1, 2014

Its 50 per user (client-user) as in User of your Client. Not client_id. For each person that authenticates your application you can have them authenticate it up to 50 times. Each Refresh token you receive will work. After the 50th the first one will stop working. They will also work for up to 6 months I think, if it hasn't been used for 6 months it will be invalidated.

You can have as many people use your Client (client_id) as are willing to authenticate you. You wont have any problems.

From Google Oauth2 Documentation found here

Token expiration

You must write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons:

• The user has revoked access.

• The token has not been used for six months.

• The user changed passwords and the token contains Gmail scopes.

• The user account has exceeded a certain number of token requests.

There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.

There is also a larger limit on the total number of tokens a user account or service account can have across all clients. Most normal users won't exceed this limit but a developer's test account might.

If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.

Question: Where did you find this? I would like to report it to Google its a bit confusing

Note: Save refresh tokens in secure long-term storage and continue to use them as long as they remain valid. Limits apply to the number of refresh tokens that are issued per client-user combination, and per user across all clients, and these limits are different. If your application requests enough refresh tokens to go over one of the limits, older refresh tokens stop working.