The changes come into effect starting 7 April 2025 and will impact the expiry date of all new access tokens issued for account access consents.
We're making some changes to our Open Banking API, which will affect responses returned when obtaining access tokens for account information consents.
To ensure a smooth transition and backwards compatibility, we'll introduce these changes in 2 stages, giving you enough time to adapt:
Starting from 7 April 2025, in the API response alongside the access_token, you'll also obtain a refresh_token.
At this stage, the expiry of the refresh token will be the same as that for the access token, and will be returned in the field refresh_token_expires_at.
infoA refresh token is used to obtain a new access token once the previous access token has expired. To regenerate an access token using the refresh token, you make a call to the /token endpoint with grant_type=refresh_token, following the steps described here. The new access token that you get replaces the previous access token.
Starting from 4 August 2025, newly-issued access tokens will expire after 60 minutes. The refresh tokens will continue to have an expiration of:
- 180 days for EU users
- 50 years for long-lived tokens for UK users
- 90 days for other regions
What do I need to do?
Starting from 7 April 2025 and by 4 August 2025, you should start recording the refresh tokens that you obtain, together with your new access tokens. You'll then be able to use the refresh token to get a new access token.
noteYou don’t need the refresh token if you only need to be able to access user data until the first access token expires. However, we recommend that you store the refresh token either way. This will ensure hassle-free token regeneration if your business needs change along the way and your access token expires before you’re done using it.
After 4 August 2025, once your access token expires, if you want to continue accessing customer data, you'll need to get a new access token using the refresh token.
When refreshing an access token, the previously issued access token linked to that refresh token will automatically be invalidated.
Any access tokens already issued to EU customers will still work until they expire.
Any long-lived access tokens already issued for UK customers will still work, but we encourage AISPs to reauthorise their consents to obtain a refresh token.
For more information, please check our online documentation.
If you have any questions, please email api-requests@revolut.com.