For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Create tokenDev Discord
  • Get started
    • Introduction
    • Authentication
    • API Privacy
    • Exceptions
    • Dev Discord
      • Creating an application
      • Authorizing an application
      • Use application's access tokens
      • OAuth2 quirks
  • Modules
  • Changelog
    • v3.7.2 - OAuth2
    • v3.7.1
    • v3.7
    • v3.6 - Fruma Expansion
    • v3.5.2
    • v3.5.1
    • v3.5 - User System
    • v3.4
    • v3.3.4
    • v3.3.3
    • v3.3.2
    • v3.3.1
    • v3.3 - Rekindled World
    • v3.2.5
    • v3.2.4
    • v3.2.3
    • v3.2.2
    • v3.2.1
    • v3.2
    • v3.1
    • v3.0
LogoLogoWynncraft API - Documentation
Create tokenDev Discord
On this page
  • Token expiration
  • Scopes
Get startedOAuth2

OAuth2 quirks

Token lifecycle and scope behavior that affects integrations
Was this page helpful?
Edit this page
Previous

Use application's access tokens

Next

List online players

Built with

This page documents OAuth2 behaviors that are easy to miss when building token storage, refresh, and permission handling.

Token expiration

OAuth2 access tokens do not expire under frequent usage, but inactivity can lead to a token’s expiration.

They are also invalidated in these cases:

EventEffect
The user revokes the application authorizationAll tokens for that user and that application are invalidated.
The application owner refreshes the client_secretAll tokens for all users of that application are invalidated.
A token is inactive for more than 15 daysThat token is invalidated.

Do not assume a stored token stays valid forever. Your client should handle token invalidation and re-authorization cleanly.

Scopes

Scopes are not bound to a specific token instance.

If a user re-authorizes your application with additional scopes, older tokens already authorized for that same application will also gain access to those newly approved scopes.

This matters if your application stores multiple tokens for the same user and assumes each token has an isolated permission set.

Use GET /oauth/me when you need to inspect the current effective scopes on a token.