As part of our ongoing effort to enhance security and compliance, we’re introducing significant changes to our refresh token policy. These updates will impact how you manage authentication and authorization for your applications.
What is happening?
Previously in Intuit’s OAuth2.0 authorization flow, refresh tokens were considered long-lived and remained valid as long as they were used at least every 100 days, making them effectively permanent. This policy has changed. All refresh tokens will now have a maximum validity period of five years. This change ensures that tokens are rotated regularly, reducing the risk associated with long-lived tokens.
If your app uses the com.quickbooks.accounting or the com.quickbooks.payments scope, the refresh tokens generated from October 2023 will have a validity of 5 years, and the first set of tokens will start to expire in October 2028.
If your app uses our restricted and granular scopes, the refresh tokens generated from February 2022 will have a validity of 5 years, and the first set of those tokens will start to expire in February 2027.
We understand that this is a significant change to our platform and this is an early announcement of changes that are yet to come. To support you on implementing the change, we are releasing the following:
- Update to refresh token endpoint response:
In the response to the refresh token request, we will start to return a new field that tells you when this refresh token will expire. This new field will also be added to our SDKs and OAuth clients. More information will be provided in the coming months. You can use this field to determine when to ask customers to reauthorize and reconnect your app to their QuickBooks Online company.
- Reconnect URL:
In January 2026, you will start to see a field called “Reconnect URL” in your apps settings in the developer portal. This will be a mandatory field. You must provide a link to the page from where customers can reconnect to your app. This URL will be prominently displayed to customers, ensuring they can easily re-authenticate when necessary.
- Customer notifications:
In QuickBooks Online, customers will receive timely notifications regarding expiring app connections through multiple channels: 30 days prior to expiration, they will see notifications and actions on their top menu and Integrations page, and 7 days before the connection expires, they will receive an email reminder. Both the in-product notifications and email alerts will include a direct link to reconnect the integration, enabling customers to take immediate action and maintain uninterrupted service.
What do I need to do?
Start to evaluate how your app may be able to handle the expiration of refresh tokens and how you can enable customers to reconnect at the right time to minimize interruptions and continue using the integration you’ve built.
When do I need to take action?
We will notify you as the above features become available for you to take advantage of. Note that if your app uses the com.quickbooks.accounting or the com.quickbooks.payments scope, the first set of tokens will start to expire in October 2028. If your app uses our restricted and granular scopes, the first set of those tokens will start to expire in February 2027.
What if I have additional questions?
Connect with our developer support team by submitting a ticket, asking a question on our forums or attending our office hours. We’ll be hosting a webinar about the refresh token policy changes on January 21, 2026. Sign up here to attend this session and have your questions answered.