Hi everyone!
Correct me if i’m wrong but a while back there was an announcement that sayd that the token for API will change from 90 days to 24 hours. So you need every day to use the refresh token to get a new one. I change my application (Windows PowerShell and VB) to make that but i keep noticing in the JSON reply that the token expiring is still 90 days.
Am i missing something ?
Thanks
-Vassilis
What type of authentication are you using? It’s possible there is a path with the old expiration time. In any case, my recommendation would be to save the expiration and dynamically use that to get a new token when needed.
i’m using this code in powershell
$values = @{
‘refresh_token’ = $refreshtoken
‘client_id’ = ‘65’
‘client_secret’ = ‘1d5f6bdeb4’
‘redirect_uri’ = ‘urn:ietf:wg:oauth:2.0:oob’
‘grant_type’ = ‘refresh_token’
} | ConvertTo-Json
$headers = @{
‘User-Agent’ = ‘WatchedShows v1.0’
‘Content-Type’ = ‘application/json’
}
$path=“token.txt”
$url=“https://api.trakt.tv/oauth/token”
$response = Invoke-RestMethod -Uri $url -Method Post -Headers $headers -Body $values
$access_token = $response.access_token
$refresh_token = $response.refresh_token
$expires_in = $response.expires_in
Write-Host "Access Token: [$access_token]" ; Add-Content $path "Access Token: [$access_token]"
Write-Host "Refresh Token: [$refresh_token]" ; Add-Content $path "Refresh Token: [$refresh_token]"
The result is the access and refresh token, and expire i get 90 days (7775999 seconds) Which is valid cause i try the same access token 3 days after and it works.
Hey,
It is possible that you still have an “old” token that still has a 90-day validity.
If you keep refreshing it every 90 days (or before or after… what matters most is to use the refresh flow properly), you will get another access token with a 90-day validity.
If you revoke your current access token (eg. logout) or if you do a fresh login, you should get a new access token with a 24-hour validity.
Basically, if you refresh a 90-day validity access token, you will get a new 90-day validity access token. Once you get a 24-hour validity access token, you will get a new 24-hour validity access token.
It is also possible that one day we have to revoke all tokens we have server-side. In other words: there is no guarantee that you will be able to keep this 90-day validity access token forever.
Hope this clarifies things.
Kevin
Hey Kevin, my goal is not to get a forever 90 days token. No, my goal is to make it rght.
The thing is i just use the refreh token to get a new access token. That is happening from day one after the announcement. And i did get a new token through the GUI of the webpage of trakt. This is how i was doing it before cause i just had a msgbox reminder 10 days before 90 and i went manually and get one and insert it in my APP.
After the announcement i did the same so i took a new one and make the powershell the validity is always 90 days.
I think it is a timing issue. When the change was announced, the token validity stayed at 90 days for a period that has been extended. So, if you got a new token (not with a refresh but with a new login), that token was still with a validity of 90 days (and will stay with a 90 days validity after each refresh).
If today you logout/revoke your current token and login again to get a new token, that token should have a 24 hours validity.
ok, maybe that is the issue. I don’t have a logout option from the app, so i need to check how to do it with just a POST.
Otherwise i have the date of the creatiion and a counter so far am in 4 days and it is working, so i will renew it at all until it says not working (after 90 days).
Old nice method !!!
There’s a strange situation: after authorization, a day or two passes and the token renewal ends with an error.
On the 16th, the token was received without any problems.
2025-09-16 20:49:11.333 [INFO] [Sync][36]: The trakt access token has now expired as of 15.09.2025 19:37:41, requesting refresh token
2025-09-16 20:49:11.343 [DEBG] [Sync][36]: Address: https://api.trakt.tv/oauth/token, Post: {"client_id":"client-id","client_secret":"secret","grant_type":"refresh_token","redirect_uri":"urn:ietf:wg:oauth:2.0:oob","refresh_token":"token"}
2025-09-16 20:49:11.810 [DEBG] [Sync][36]: Response: {"access_token":"token","token_type":"Bearer","expires_in":86399,"refresh_token":"token","scope":"public","created_at":1758044955}, Headers: {Transfer-Encoding: chunked, Connection: keep-alive, CF-RAY: 9802330daae4ef1a-WAW, x-xss-protection: 0, x-content-type-options: nosniff, x-download-options: noopen, x-permitted-cross-domain-policies: none, referrer-policy: strict-origin-when-cross-origin, content-security-policy: frame-ancestors 'self' https://trakt.tv https://*.trakt.tv http://localhost:* https://localhost:*;, pragma: no-cache, vary: Accept-Encoding, x-ratelimit: {"name":"AUTHED_API_POST_LIMIT","period":1,"limit":1,"remaining":0,"until":"2025-09-16T17:49:16Z"}, x-request-id: 429051fb-8b7b-437f-b0f2-06b3d849b208, x-runtime: 0.025655, cf-cache-status: DYNAMIC, alt-svc: h3=":443"; ma=86400, Cache-Control: no-store, Content-Type: application/json; charset=utf-8, Date: Tue, 16 Sep 2025 17:49:15 GMT, ETag: W/"cd4fae994217edd8265c240b1b368e77", Set-Cookie: _traktsession=session; path=/; HttpOnly; SameSite=Lax, Server: cloudflare}
2025-09-16 20:49:11.830 [DEBG] [Sync][36]: Address: https://api.trakt.tv/users/settings
2025-09-16 20:49:12.385 [DEBG] [Sync][36]: Response: {"user":{"username":"ajs","private":true,"deleted":false,"name":"Andrew J.Swan","vip":false,"vip_ep":false,"director":false,"ids":{"slug":"ajs","uuid":"6a535fb08d5ef71067961a436ee0598eeaf294aa"},"joined_at":"2011-07-08T20:54:45.000Z","location":"Kiev","about":"-|-","gender":"male","age":50,"images":{"avatar":{"full":"https://walter-r2.trakt.tv/images/users/000/013/623/avatars/large/c47a2ea690.jpg"}},"vip_og":false,"vip_years":0,"vip_cover_image":null},"account":{"timezone":"Europe/Kiev","date_format":"dmy","time_24hr":true,"cover_image":null,"token":null,"display_ads":true},"connections":{"facebook":false,"twitter":true,"mastodon":false,"google":true,"tumblr":false,"medium":false,"slack":false,"apple":false,"dropbox":false,"microsoft":false},"sharing_text":{"watching":"I'm watching [item]","watched":"I just watched [item]","rated":null},"limits":{"list":{"count":10,"item_count":100},"watchlist":{"item_count":100},"favorites":{"item_count":100},"search":{"recent_count":5},"collection":{"item_count":100},"notes":{"item_count":100},"recommendations":{"item_count":100}},"permissions":{"commenting":true,"liking":true,"following":true}}, Headers: {Transfer-Encoding: chunked, Connection: keep-alive, CF-RAY: 9802330f6f29ef1a-WAW, x-frame-options: SAMEORIGIN, x-xss-protection: 0, x-content-type-options: nosniff, x-download-options: noopen, x-permitted-cross-domain-policies: none, referrer-policy: strict-origin-when-cross-origin, vary: Accept-Encoding, x-ratelimit: {"name":"AUTHED_API_GET_LIMIT","period":300,"limit":1000,"remaining":999,"until":"2025-09-16T17:50:00Z"}, x-request-id: d9c84f6a-61ca-4784-b93e-110566415df4, x-runtime: 0.368244, cf-cache-status: DYNAMIC, speculation-rules: "/cdn-cgi/speculation", alt-svc: h3=":443"; ma=86400, Cache-Control: max-age=0, private, must-revalidate, Content-Type: application/json; charset=utf-8, Date: Tue, 16 Sep 2025 17:49:16 GMT, ETag: W/"etag", Server: cloudflare}
2025-09-16 20:49:12.387 [INFO] [Sync][36]: User ajs successfully signed in and retrieved online settings from trakt.tv
And on the 17th we already found an error, and this happens every couple of days.
2025-09-17 21:01:09.612 [INFO] [PlaySync][44]: The trakt access token has now expired as of 15.09.2025 19:37:41, requesting refresh token
2025-09-17 21:01:09.621 [DEBG] [PlaySync][44]: Address: https://api.trakt.tv/oauth/token, Post: {"client_id":"private","client_secret":"private","grant_type":"refresh_token","redirect_uri":"urn:ietf:wg:oauth:2.0:oob","refresh_token":"token"}
2025-09-17 21:01:10.184 [ERR ] [PlaySync][44]: Protocol Error, Code = '400', Description = 'Bad Request', Url = 'https://api.trakt.tv/oauth/token', Headers = 'Transfer-Encoding: chunked, Connection: keep-alive, CF-RAY: id-WAW, x-xss-protection: 0, x-content-type-options: nosniff, x-download-options: noopen, x-permitted-cross-domain-policies: none, referrer-policy: strict-origin-when-cross-origin, content-security-policy: frame-ancestors 'self' https://trakt.tv https://*.trakt.tv http://localhost:* https://localhost:*;, vary: Accept-Encoding, x-ratelimit: {"name":"AUTHED_API_POST_LIMIT","period":1,"limit":1,"remaining":0,"until":"2025-09-17T18:01:15Z"}, x-request-id: request-id, x-runtime: 0.005531, cf-cache-status: DYNAMIC, alt-svc: h3=":443"; ma=86400, Cache-Control: no-store, Content-Type: application/json; charset=utf-8, Date: Wed, 17 Sep 2025 18:01:15 GMT, Set-Cookie: _traktsession=session-id; path=/; HttpOnly; SameSite=Lax, Server: cloudflare, WWW-Authenticate: Bearer realm="Trakt", error="invalid_grant", error_description="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."'
2025-09-17 21:01:10.210 [ERR ] [PlaySync][44]: Failed to refresh access token from trakt.tv, you must go to settings and re-authorise application, Code = '400', Reason = 'Bad Request'
2025-09-16 20:49:12.387 - Refresh Ok
...
2025-09-17 21:01:09.612 - Refresh failed
Judging by the time, it looks like more than 24 hours have passed, but as I understand it, the Token should have been updated anyway?
ok so , 90 days had passed.
I checked my app, as excepted could not connect invalid token.
Now i run the fetch token script using the refresh token, and
So, what’s next 
That is the expected behavior. You currently have a 90-days token, until you revoke it or we have to revoke it for some reason, it will be refreshed into a new 90-days token.
Just to make sure: the access token has a 90-days validity (so after 90 days, any request made with that token will fail), the refresh token has a longer validity (way longer than 90 days). You can (have to even) refresh an invalid token with your refresh token (and other information that’s validated). It is standard OAuth 2 behavior.
Sorry! I see your message now without an answer. Did you manage to fix your issue?
Hi Kevin,
No, but you confused me a bit.
Isn’t the token valid for 1 day and then you have to use the refresh token to get the new one.
Wasn’t all this about the thread. I know the validity was 90 days for years but the point of the thread was that Dustin said the api has changed and now has 24 hours.
So what is correct or not ??
I’m ok with 90 days if that is the correct, i just want to make sure that i do not mess anything up with the API or cause any trouble with the site.
Yeah, it was 90 days, then we changed it to 24 hours. More recently, we changed it to 7 days.
The confusion is understandable
To make it short, a token has 3 main things:
That validity period stays the same when you refresh your token. This means, if you got the first token when the validity was 90 days, your refresh will give you 90-days valid access token. If you get a new token (not a refresh) now, the new access token will be valid for 7 days and all refresh will refreshing for 7 days even if we change that again in the future.
so to make it right with trakt, i should get a new token (not with refresh token) and that will give 7 days. Then the refresh token will also give 7 days.
i didn’t know the change from 24hours to 7 days, damn, i need to change my code again 
You can keep refreshing the 90 days token, that’s really not an issue, especially if it’s an app you are the only one using and not distributing.
If you ask for a new access token without refreshing, yes.
You should look at the created_at and add the expires_in in the token response and use that date to refresh, no need to update your app very time we change the validity if you do that 
yeah, i will probably keep that. I use the app two times per week max. It is for my own personal use to keep track some very OSD stuff.
Thanks!