Generating long lasting OAUTH tokens in Lucid

  • 4 January 2023
  • 2 replies

Userlevel 1
Badge +2

Hello World!

My name is Michael Bowers and I am the team lead for Lucid’s External Api team. I am extremely excited to begin building our community and work directly with you to enable Lucid to help take your vision to the next level. To do that I would like to start with our most asked question:

Developers exploring our APIs often say to us “An OAuth token is required to use your endpoints and a user needs to manually authorize the creation of this token via a browser. These tokens expire every hour… is there a way to build a long-living application on your API that doesn’t require a user/manual intervention every hour?”.

Good news. There is a way! With our APIs you can build an application that requires user intervention just once and can then run forever without any further user action by generating refresh tokens.

This can be done by requesting the offline_access scope when obtaining the initial OAuth token. Including this scope will cause a refresh token to be provided in the Create Token response. The refresh token can be used to “refresh” the initial access token WITHOUT needing a user to open a browser. In other words even though the initial access token expires every hour the refresh token can be used to create a new valid access token (also with an hour lifespan). 


Now this refresh token does have a limited lifespan itself (currently 6 months). However the refresh token itself can be refreshed and this doesn’t require a user to open a browser… which means the user’s initial authorization can be refreshed and maintained completely programmatically (i.e. without further user intervention) for an indefinite period of time.

There are two small but important caveats to add. First if the refresh token is not refreshed programmatically before it expires then user intervention will be needed to re-authorize the application. Second your integration may want to request different scopes as your features grow. If your integration wants to do more it may need to request a new token with those new permissions. A refreshed token only has the permissions granted to the original token and can not be expanded.

Hopefully that helps clarify long-lasting authentication. I look forward to working with all of you and viewing the amazing ways you utilize Lucid to collaborate visually to achieve your goals.


Userlevel 1
Badge +2

Great question.

The authorization token does not have to be refreshed before its expired (currently 1 hour).  As long as the refresh occurs before the refresh token is expired (currently 6 months) it will be successful.

Hi is there a way to extend access token lifetime in refresh request.

token renew works but every month we have a maintenance break and in some cases it will last over an hour on current implementation this would cause refresh to fail. (not done within lifetime of access token lifetime of access token received in refresh request is always 3600). 

is there a way around this?