Skip to first unread message
Developer Group for CMS Blue Button API
Apr 16, 2026, 5:28:29 PM (12 days ago) Apr 16
to Developer Group for CMS Blue Button API
Hi Blue Button Community,
To better align with security and industry standards, we are changing our default access token lifetime from 10 hours to 1 hour. This change will happen in roughly 30 days, on Monday, May 18th. While we don’t expect this to have a significant impact on applications, please let us know if you have any concerns.
Please read the FAQs below for further details:
Will this affect existing 10-hour tokens at the time this goes into effect?
No, any existing 10-hour tokens that are valid at the time this goes into effect will remain valid for the original timeframe when the token was generated. When the token expires, any new tokens created (either via refresh or new authorization) will then have a 1-hour lifetime.
What error will occur if an application attempts to use a token that has expired after 1 hour?
The existing workflow for token expiration will remain in place – using an expired token will result in a 401 error. The application would then need to get a new token either by refreshing a refreshable token or by initiating a new authorization flow.
What will the impact be for applications that use refresh tokens?
This change means that refreshable access tokens will need to be refreshed more frequently, as each access token will only be valid for 1 hour instead of 10. Refresh tokens can continue to be exchanged for new access tokens for the duration of the user-granted access (13 months in most cases). If applications have set up an automatic refresh mechanism for Blue Button tokens, they could expect to see an increase in refresh calls. Application teams should audit their exception handling on long-running transactions with Blue Button API for expired tokens to ensure that they are able to properly refresh tokens and re-run transactions as needed.
Thank you,
The Blue Button API Team
To better align with security and industry standards, we are changing our default access token lifetime from 10 hours to 1 hour. This change will happen in roughly 30 days, on Monday, May 18th. While we don’t expect this to have a significant impact on applications, please let us know if you have any concerns.
Please read the FAQs below for further details:
Will this affect existing 10-hour tokens at the time this goes into effect?
No, any existing 10-hour tokens that are valid at the time this goes into effect will remain valid for the original timeframe when the token was generated. When the token expires, any new tokens created (either via refresh or new authorization) will then have a 1-hour lifetime.
What error will occur if an application attempts to use a token that has expired after 1 hour?
The existing workflow for token expiration will remain in place – using an expired token will result in a 401 error. The application would then need to get a new token either by refreshing a refreshable token or by initiating a new authorization flow.
What will the impact be for applications that use refresh tokens?
This change means that refreshable access tokens will need to be refreshed more frequently, as each access token will only be valid for 1 hour instead of 10. Refresh tokens can continue to be exchanged for new access tokens for the duration of the user-granted access (13 months in most cases). If applications have set up an automatic refresh mechanism for Blue Button tokens, they could expect to see an increase in refresh calls. Application teams should audit their exception handling on long-running transactions with Blue Button API for expired tokens to ensure that they are able to properly refresh tokens and re-run transactions as needed.
Thank you,
The Blue Button API Team
Reply all
Reply to author
Forward
0 new messages