OAuth2 quirks | Wynncraft

This page documents OAuth2 behaviors that are easy to miss when building token storage, refresh, and permission handling.

Token expiration

OAuth2 access tokens do not expire under frequent usage, but inactivity can lead to a token’s expiration.

They are also invalidated in these cases:

Event	Effect
The user revokes the application authorization	All tokens for that user and that application are invalidated.
The application owner refreshes the `client_secret`	All tokens for all users of that application are invalidated.
A token is inactive for more than 15 days	That token is invalidated.

Do not assume a stored token stays valid forever. Your client should handle token invalidation and re-authorization cleanly.

Scopes

Scopes are not bound to a specific token instance.

If a user re-authorizes your application with additional scopes, older tokens already authorized for that same application will also gain access to those newly approved scopes.

This matters if your application stores multiple tokens for the same user and assumes each token has an isolated permission set.

Use GET /oauth/me when you need to inspect the current effective scopes on a token.